Jump to content
Welcome to our new Citrix community!

Unable to collect Citrix Netscaler and ADC HTTP logs via syslog and NSWL

Greg March

Recommended Posts



I'm looking to onboard the HTTP logs from citrix gateway and ADC appliances into a SIEM. From the documentation the built in syslog function doesn't seem to support this.


I've tried to use the NSWL client but I'm not having any luck. The client connects successfully using the nsroot account but It isn't pulling any logs. Does anybody have any suggestions?




Link to comment
Share on other sites

The NSWL client requires:

1) To be the same version as the NS firmware (share your versions in case there is a bug)

2) Must be configured with the NSIP and not a SNIP. Needs superuser rights and depending on version requires nsroot and password.

3) WebLogging feature must be enabled (but it is enabled by default)


When you configure the NSWL client, communication from NS to nswl client will default to 3011 from NSIP to client destination.  ACLs, routes, or firewall rules could impact this.


For the NSWL configuration:

1) Keep things simple as there are some things that can throw off output depending on firmware version in use.

2) Extract the NSWL client to a folder (preferably without spaces to get started).  For Windows, example:  c:\nswl where the executable is in c:\nswl\bin\nswl.exe and the conf file is in c:\nswl\etc\log.conf.  (Once things are "working" you can look at adjusting this.)

I would create a directory c:\nswl\LOGS\ for output files during the test phase (again this can be updated later).

3) From cmd prompt (if windows), configure the conf file with mostly default settings just to see if it works and then you can deal with output locations and log filters later:


# change working directory

cd c:\nswl\LOGS\

# configure conf file:

c:\nswl\bin\nswl.exe -addns -f c:\nswl\etc\log.conf

# enter the NSIP and the nsroot and password; this command will update the file. If an HA pair, add the NSIP for both members of HA pair to the same file.

# Then test the log output

c:\nswl\bin\nswl.exe -start -f c:\nswl\etc\log.conf


# while this is running, go direct traffic against one of your lb vservers and the log output should be caught by the default filter.

# CTRL+C to stop capture when done

Your debug nswl command output will be in the c:\nswl\LOGS\ directory as nswl.log-<datestamp>.

The default nswl logs will be in the c:\nswl\LOGS\ directory with EX<date> in the name.


Once you confirm it is or isn't working, then you focus on the log output and paths etc...


You can also try:

c:\nswl\bin\nswl.exe -help

c:\nswl\bin\nswl.exe -verify -f c:\nswl\etc\log.conf  #<< tests if file is configured right; only validates overt issues.

Or changing the debug parameter from 1 (default) to 3 when executing any command with the parameter -d 3 in any of the executions above

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...