Jump to content
Welcome to our new Citrix community!

I would like to ask you about the NetScaler Syslog configuration.

Recommended Posts

I would like to ask you about the NetScaler Syslog configuration.
We are currently sending everything to a QRadar and the configuration we have is as follows.

But Qradar is not seeing all the traffic coming into the NetScaler.

What we are interested in getting are the public IPs consuming the exposed NetScaler services. Does NS leave a log with this data?

We have Citrix ADC 8905 in HA version 12.1 63.23


Thank you so much!


Link to comment
Share on other sites

Is your audit policy bound to the global system object?


Usually, if you have the audit parameter still set to the local syslog and the additional audit policy set to your external server and bound to the global object, then you should be able to compare that the local syslog and the external syslog has the same information. If your audit policy is bound to only specific vservers, you will get less information.


Additional logging types is at bottom of the log action.


Link to comment
Share on other sites

Policies are only in effect if they are bound. If you are in the GUI > Auditing > Syslog  Policies.  select your policy and click "show bindings".


Or share the full policy config from the command line.

And clarify what you want the syslog to grab.  Because maybe syslog isn't what you need.


You can view the local syslog from SSH:


cd /var/log 

tail -f ns.log

# Current file is in /var/log/ns.log and past log files will be incremented and stored as .tgz. They can also be viewed in command line.


To summarize your policy that you are configuring from CLI instead of GUI (as your entire action) isn't being shown:

From cli:

show ns runningconfig | grep <syslogpolicyname> -i

show ns runningconfig | grep <syslogactionname> -i


But you want to confirm all the syslog actions settings specified AND you want to see if the policy is bound:  bind system global ....


Note: Syslog on the ADC is all of the audited commands by admins, and evens/features that are logged. Features like gateway and appfirewall audit events to syslog. Some monitor events may show up in syslog.


Syslog does not include TCP transactions by default and doesn't usually include load balancing traffic.


However, you said you wanted:  in getting are the public IPs consuming the exposed NetScaler services. 

Do you want to know which vservers are tied to which services OR do you want to see which client ips are connecting to your lb vservers/services. By default, this is not syslog for load balancing, it might display traffic for gateway/vpn vservers.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...