Jump to content
Welcome to our new Citrix community!

Filter data sent to external SYSLOG server


Tom Swift

Recommended Posts

We want to reduce the amount of data sent to our external SYSLOG server from a Citrix Netscaler (ADC) 13.1.  Currently the storage requirement is about 100mb per day.  Is there a way in the CLI to set a filter so that only events with specific data are sent out?  For example, we'd like to know if there are logon failures so if a line contains "Authentication is rejected for" we'd like that sent to the external SYSLOG server, but everything else is dropped.

 

Apr 13 20:37:20 MYCORP 04/14/2022: 03:37:18 GMT ns 0-PPE-0 : default AAA Message 13075368 0 : "Authentication is rejected for JOEUSER (client ip : 216.254.108.50 , vserver ip: 192.168.1.22 ), extended error, if any : "

Link to comment
Share on other sites

Syslog log destinations and log details are controlled by either the global syslog parameters (default syslog for all system to local destination) or additional syslog policy/actions.

All syslog logging policies are based on "true" expression, so the scope of what is included is based on bind point. You can bind sylog policies to the global system object to enable logging of all syslog to remote syslog server (in addition to local logging) or bind a syslog audit policy to specific vservers to log traffic for that entity to a specific location.

 

Most syslog filtering is done by the logging level inside the policy action, choose the log level as info, warning, error etc...

But syslog itself doesn't filter based on type of message.  The external syslog can impose a filter.

 

Switching to SNMP traps for certain events may help. But mostly you log and then cull the log output.

 

 

Link to comment
Share on other sites

You could set up a SYSLOG LB to represent your syslog target, then create multiple policies with varying levels of verbosity to bind at various places.

 

Or you could hack syslog.conf (which i think is unsupported). I am 99% sure if you whack it in /nsconfig it automatically gets copied to /etc on boot for you (if not use rc.netscaler to copy it for you)

 

The filter function will be your friend there.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...