Jump to content
Welcome to our new Citrix community!

Citrix ADC syslog not reaching data collectors


Ramesh Vedam

Recommended Posts

Can someone shed  where the issue could be

 

We have setup syslogs(Citrix NetScaler - IBM Documentation) from Citrix ADC to send it to our log collector. We are not seeing any syslogs coming into collector. There is no FW between them and we did tcpdump on the data collector but nothing seen. The ports(514) is open..

 

Are there anything else in terms of configuring syslogs we need? Are there any know issues or config required to send syslogs

Link to comment
Share on other sites

Hi Ramesh,

 

Offloading to a central syslog server is pretty straight forward usually. The only thing I can think of is that you created the policy and associated action, but maybe forgot to bind it? If the policy is not bound, then of course it will not hit and nothing will happen.

 

You can bind a policy in the GUI via System > Auditing > Syslog Auditing, click on the dropdown list and choose one of the Global Bindings options (depending on whether you have a classic or advanced policy).  Check out https://docs.citrix.com/en-us/citrix-adc/current-release/system/audit-logging/configuring-audit-logging.html for more detailed documentation about Audit logging.

 

To check whether your policy is hitting, you can verify this in the newnslog on the shell with the following command:

nsconmsg -K /var/nslog/newnslog -d current -g hits

Hope this helps.

 

Cheers,

G.

  • Like 1
Link to comment
Share on other sites

We ran into an issue with a 12.1 build where the source IP was the loopback address and not the NSIP of the ADC/SDX so Splunk engineers did not always receive syslog data.

 

Live tcpdump from the SDX showed that the syslog data was being sent so it was a noodle scratcher.

# tcpdump -X dst host <host-IP> and port 514

 

I then took a trace which showed the source IP as the loopback and we did a workaround (below) other option was to upgrade to 13.1.

# tcpdump -w /var/log/syslog_test.pcap host <host-IP>

 

Shell

/usr/bin/killall syslogd

/usr/sbin/syslogd -n -v -v -8

exit

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...