Jump to content
Welcome to our new Citrix community!

WAF Logs to external syslog


Recommended Posts

Hi,

we want to send WAF logs to our external syslog server. We bound a syslog audit policy to our virtual server, but the logs are not sended to our syslog server.

For some months ago, i does the logging with a global bounded audit policy, but the ha synchronisation does not working. secondary node is restarting. This is a known issue.

 

Is there any other way to get the logs send to syslog, without binding the audit policy globally?

Link to comment
Share on other sites

If you can't bind globally, you can create an audit policy for the external destination and bind it to just the vservers you require.  This will avoid system wide events but all audited events per vserver will log to destination specified.

Also, are you keeping the syslog audit parameters local and using an additional policy bound global for external logging? Is the bug affecting you for any global bound audit policy?)

 

 

You can also split appfw to its own log if you want just appfw events only. May not solve the global binding issue, but if you just want appfw logs it may give you some other options.

https://support.citrix.com/article/CTX138973

Link to comment
Share on other sites

27 minutes ago, Rhonda Rowland1709152125 said:

If you can't bind globally, you can create an audit policy for the external destination and bind it to just the vservers you require.  This will avoid system wide events but all audited events per vserver will log to destination specified.

Also, are you keeping the syslog audit parameters local and using an additional policy bound global for external logging? Is the bug affecting you for any global bound audit policy?)

 

 

 


i tried to bind the audit policy to the vserver, but waf events are not logged. (The audit action is set to information level logging and above)

 

The waf events are recorded locally to ns.log. The bug affects external syslog servers who are bound globally.

Link to comment
Share on other sites

Confirm the WAF logging has not been split out (according the article in the second note above).

 

Which firmware are you on? And are you seeing other events in the log, just not the appfw.

Feel free to share the audit policy minus IP.

 

Can you confirm you are seeing WAF events in the local log as typically only violations are logged and NOT valid requests.

And confirm logging for violations is enabled in AppFirewall.

 

If your issue is a bigger general syslog failure, then you will need support or a different version.  But if its just a config issue, we might figure it out.

Link to comment
Share on other sites

thanks for your help. i use build version 13.0. 82.27.

I checked the syslog.conf and can confirm, it is configured in default. No split out of appfw events.

 

My audit policy

> sho audit syslogPolicy audit_lnxsyslog
        Name: audit_lnxsyslog   Rule: true
        Action: lnxsyslog


        Policy is bound to following entities
1)      Bound to: REQ VSERVER vs_auth_nFactor_Gateway
        Priority: 100

2)      Bound to: REQ VSERVER vs_auth
        Priority: 100


        Policy is bound to following entities
1)      Bound to: REQ VSERVER lb_hks_SSL_443
        Priority: 100

my audit action

> sh audit syslogAction
1)      Name: lnxsyslog
        Server IP: 10.105.26.215
        Port: 514
        Loglevel : EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL
        Date Format: YYYYMMDD
        Time Zone: LOCAL_TIME
        Facility: LOCAL0
        Tcp Logging: NONE
        ACL Logging: DISABLED
        LSN Logging: DISABLED
        ALG Logging: DISABLED
        Subscriber Logging: DISABLED
        DNS Logging: DISABLED
        ContentInspection Log: DISABLED
        Transport: UDP
        UserDefinedLogging: NO
        AppFlow export: DISABLED
        SSL Interception: DISABLED
        URL Filtering: DISABLED

I connected Citrix ADM to my ADC. Appflow is also configured for security events. In ADM i see the appfw events. But not on my syslog server.

 

I searched my ns.log files and found appfw events. for example this event. Other vserver, but a local event.

Nov 20 16:07:05 <local0.info> 90.x.x.134 CEF:0|Citrix|NetScaler|NS13.0|APPFW|APPFW_POLICY_HIT_BUILTIN|6|src=92.118.160.1 geolocation=Unknown spt=0 method=GET request=https://adfs.mydomain.de/ msg=Application Firewall profile invoked cn1=2987316 cn2=11691249 cs1=APPFW_BLOCK cs2=PPE0 cs4=ALERT cs5=2021 act=blocked 

This event isnt available on my syslog server.

 

Because at the moment, there are no violations against our production system, i created for another vServer a appfw with starturl configured.

 

In my ns.log the events are reported

 

Nov 21 11:33:38 <local0.info> 90.x.x.x CEF:0|Citrix|NetScaler|NS13.0|APPFW|APPFW_STARTURL|6|src=217.84.205.151 geolocation=EU.DE.Nordrhein-Westfalen.*.Lhne.* spt=17863 method=GET request=https://token.mydomain.de/blackshieldss/O/X8FTH6V43M/index.aspx msg=Disallow Illegal URL. cn1=2862384 cn2=12950385 cs1=appfw_test cs2=PPE1 cs4=ALERT cs5=2021 act=blocked

 

Before accessing the website, i also bound the audit syslog policy to that vserver and yes, also no events are forwarded to my syslog server. On my syslog server, i only see AAATM events.

 

now i bound for a short test the audit policy globally, and yes, the events are sended to my syslog server.

Why ever, the bounded audit policy to the vserver dont send appfw events to my syslog server.

Link to comment
Share on other sites

Your AppFw logs are currently in CEF format. If you change them back to standard syslog do they show up? So is the issue that appfw syslogging isn't reporting or is the syslog server not displaying the non-syslog standard CEF events?  (Unlikely this is problem given your other test case, just making sure.)  AppFw log format is under AppFw Engine Settings (appfw parameters)

 

Are you testing the appfw syslog against the LB vserver or the vpn/aaa vservers?  AppFw isn't running against aaa/vpn.  If lb vserver is integrated with AAA, then appfw is processed after logon attempt and not before.  

 

It may still be a bug and have nothing to do with what I suggested. If so, you may have to go through support as it may be a build specific issue. Hopefully someone else can confirm.

Link to comment
Share on other sites

15 hours ago, Rhonda Rowland1709152125 said:

Your AppFw logs are currently in CEF format. If you change them back to standard syslog do they show up? So is the issue that appfw syslogging isn't reporting or is the syslog server not displaying the non-syslog standard CEF events?  (Unlikely this is problem given your other test case, just making sure.)  AppFw log format is under AppFw Engine Settings (appfw parameters)

 

Are you testing the appfw syslog against the LB vserver or the vpn/aaa vservers?  AppFw isn't running against aaa/vpn.  If lb vserver is integrated with AAA, then appfw is processed after logon attempt and not before.  

 

It may still be a bug and have nothing to do with what I suggested. If so, you may have to go through support as it may be a build specific issue. Hopefully someone else can confirm.

 

thanks for your help. Our syslog server knows CEF. Thats ok. After binding die policy to global, i can see the appfw logs in our syslog server.

Link to comment
Share on other sites

I'm glad you're getting something.  Still might need to log a bug as it seems version specific.

 

So if you bind the policy to the global system object it does not impact the ha/reboot issue (but the global audit  policy being non-local, caused the problem)?

And are you currently getting the logging you need or is there still an issue?  just confirming - i lost track in there :)

Link to comment
Share on other sites

10 hours ago, Rhonda Rowland1709152125 said:

So if you bind the policy to the global system object it does not impact the ha/reboot issue (but the global audit  policy being non-local, caused the problem)?

 

sorry, i dont understand what you mean with system object. I only know "Auditing Syslog Advanced Policy Global Binding"

> sh audit syslogGlobal
1)      Policy Name: SETSYSLOGPARAMS_ADV_POL
        Priority: 2000000000
        GlobalType: SYSTEM_GLOBAL

 Done

 

10 hours ago, Rhonda Rowland1709152125 said:

And are you currently getting the logging you need or is there still an issue?  just confirming - i lost track in there :)

 

logging is only working, if binding the audit syslog Policy to global. Because of the issue with ha / reboot we cannot bound the policy at the moment.

Do you get appfw logs to syslog, if you bind the policy to a vServer and not globally?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...