Jump to content
Welcome to our new Citrix community!

Customized syslog messages

Recommended Posts

Good day, colleagues.

I need send syslog messages in special format to the special syslog server.


I configured my VPX in accordance with https://docs.citrix.com/en-us/citrix-adc/current-release/system/audit-logging/configuring-audit-logging.html "Configuring policy-based logging".

But I don't see this messages in my server.


My configuration in the attach.

I am confused by the zero value of Hits and the non-zero value of Undef Hits on the messageAction.


What I am doing wrong?


NetScaler NS13.1: Build 12.51.nc


Best Regards,

Ihar Harbuz.



Link to comment
Share on other sites

The Undefined hits mean something in the action is invalid to parse and its generating an UNDEF result so action is likely not performed. If one of the expressions you are combining can't compute, it will generate an UNDEF result and action will not continue. 

So, I played with this in the evaluator to see if missing elements would trip the UNDEF.  I had to make all "client" objects literal strings because NO IP/Ports in the evaluator.

A missing  referer header returned a null string, but would still work. A missing DATE header returned UNDEF.   Also note, this expression (without the client packet info), takes 2 seconds to evaluate.


It may be one or more objects you are parsing don't exist, so that is causing the logaction to fail.


You also might consider using NSWL for web transaction logs and exporting that to a different output server (running the NSWL agent)and forward that instead of using syslog policy hits.  





  • Like 2
Link to comment
Share on other sites

Thank you. You are right.

I replaced HTTP.REQ.DATE to SYS.TIME.TYPECAST_TIME_AT and it worked.


I have got one more question.

How can I filter syslog messages only from my messageAction/rewrite policy?

The GUI don't have rule field for syslogPolicy, CLI have it, but I didn't find any Advanced rules to get policyName, and SYS.VSERVER() don't want to be added in the syslogPolicy rule.

I set logLever for both messageAction and syslogAction to WARNING to filter syslog messages, but I think it's wrong decision.


Best Regards,

Ihar Harbuz.

Link to comment
Share on other sites

18 hours ago, Ihar Harbuz1709162483 said:

How can I filter syslog messages only from my messageAction/rewrite policy?

I don't understand exactly what you mean.


18 hours ago, Ihar Harbuz1709162483 said:

The GUI don't have rule field for syslogPolicy, CLI have it, but I didn't find any Advanced rules to get policyName, and SYS.VSERVER() don't want to be added in the syslogPolicy rule.

I set logLever for both messageAction and syslogAction to WARNING to filter syslog messages, but I think it's wrong decision

I also don't know what you mean here. I think you are confusing the logaction which logs on policy hit and syslog policy/actions.


Syslog Policies and Actions are created in GUI under System >> Auditing > Syslog Polices (and Actions).  

System >> Auditing:: <right pane> is the global syslog and nslog parameters which is the default logging behavior for local logging.

If you look in the left pane under the System >> Auditing (node):: left pane, you will have the option to define custom syslog and nslog actions (aka servers) and policies.

These allow you to specify additional logging destinations and log details.


A feature like responder or rewrite has a logaction field.  When policy expression is true, the features's action will be performed (like drop or redirect traffic) AND if a log action is specified, the log action will be performed.


A syslog policy/action defines an additional logging location and log details to include.  Syslog policies bound globally, capture all the same traffic as the default syslog but can log to additional locations (aka more than one logging policy applies like a cascade).  Syslog policies can also be bound to specific vservers (or aaa users or aaa groups for gateway) and will then only log events affecting that vserver.


So a log action in a feature is a message to log on policy hit. A Syslog Policy/Action is a logging destination and log messages to include.


Additional info:


By default, your global syslog policy/action logs all system-wide syslog events to the localhost syslog.

If you create additional syslog policy/actions, you can then log to alternate locations.  The action can contain alternate syslog output destinations.


If you bind, a syslog policy to the global system object it will log all eveents system wide to the syslog action destination. If more than one policy bound or policy AND the default logging parameters, you will log to multiple places.


If you bind a syslog policy to a specific vserver, then that policies logging level and destination will only include events on that vserver (in addition to global).


If what you want to do is a have a log output for just these custom events on this vserver separate from your regular syslog:

1)  Leave the regular syslog action to log to localhost and leave "user configurable log messags" off.

2) create a new syslog action to a remote syslog server IP, with user configurable log messages ON, and possibly a specific log facility different than facility 0. Create a syslog policy and bind this to the specific vserver where your policy with log action is bound.  You will then capture any vserver syslog events plus the custom log action on this one vserver to the specific location you have in your action and your regular default syslog parameters will handle regular logging.


IF you meant something else, please clarify.


Addidtional Syntax questions:

policyName, and SYS.VSERVER()...


Again, I'm not sure what you are trying to do to get you better info.

If you have a specific log action on a given policy/feature, you will have to hardcode the policy name in the log action. There's not a general logaction that includes its own policy name.

To extract a vserver name, 1) either bound specific logactions (messages to log) to specific vservers and hardcode this or 2) use the CLIENT object to get to traffic vserver name. I think its either client.tcp.vserver or something similar, instead of SYS object.


Final thoughts:

The ADC has predefined events that log to syslog in a standard syslog format.

You can incorporate new messages into it; but you can't redefine the default syslog format.  Right now, you are using a policy hit to trigger specific message logging amidst the regular syslog auditing going on.


NSWL web transaction logs can report web transactions in NCSA, W3C, and W3C extended formats and output to an NSWL component.  Mentioned in the System section of the ADC admin guide.


IF this doesn't help, please explain what you want to capture and we'll see if there is a better way to get the final result.











Link to comment
Share on other sites

I mean to send on one syslog server only customized messaged and only from the concrete vserver.

And all normal syslog messages (standard) in the ADM and other syslog servers.


About bindings syslog policy to the vserver:

> add syslogPolicy syslog_test_Default true KDP_syslog


> bind cs vserver cs-ssl -policyName syslog_test_Default -type REQUEST -priority 100

ERROR: The Advanced Policy cannot be bound to a CS vserver


> add syslogPolicy syslog_test_Classic ns_true KDP_syslog

Warning: Classic policy expressions are deprecated, are not supported, and will be removed in the next major release - use Default (Advanced) policy expressions instead; the nspepi utility may be helpful in conversion


> bind cs vserver cs-ssl -policyName syslog_test_Classic -type REQUEST -priority 100

ERROR: Flowtype and invoke apply only to Advanced policies.


I couldn't do it.

Link to comment
Share on other sites

Which version of firmware are you on?  (I'm still seeing adv syslog policy bindings as a a limitation even on to cs vservers which is odd.)

Does your cs vserver currently use classic-based cs policies or advanced-based cs policies?  (Its also possible that this might be a factor.)


Your problem is your syntax for binding classic engine policies is wrong.

If you do it in the GUI it should work and corrected command for CLI:

bind cs vserver cs-ssl -policyName syslog_test_classic -priority 100 

Omit the flow type request in the syntax. As that is what the syntax error is complaining about, the flow and invoke statements only work on an advanced policy. Request is assumed on the cs policy classic engine.


Additional Note:

However, you may have to be all classic syslog policies global/cs/lb and not mix and match classic and advanced until you have an option to use advanced policies on this cs vserver too.  


Edited by Rhonda Rowland
Added note
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...