Jump to content
Welcome to our new Citrix community!
  • 0

sending the app firewall logs to a separate syslog servers in CEF format doesn't work - adc v13.0 87.9

Gijs Lemahieu1709159845

Asked by Gijs Lemahieu1709159845,

Question

Gijs Lemahieu1709159845 Explorer

Gijs Lemahieu1709159845

Posted
Posted

Hi,

 

I would like to send all web app firewall logs to an external syslog server, to be able to parse them and tune the configuration based on the logs.

Somehow this doesn't work, but documentation / forums about it are sometimes quite confusing and not very clear

 

What I've done so far:

  • edited the syslog.conf file : local2.* is now redirected to /var/log/appfw.log instead of iprep.log
  • restarted the syslog process
  • added a syslog action : add audit syslogAction sysact1 <ip> -serverPort <port> -logLevel ALL -logFacility LOCAL2 -userDefinedAuditlog YES
  • added a syslog policy : add audit syslogPolicy syspol1 true sysact1
  • tried to bind this with this command : bind audit syslogGlobal -policyName syspol1 -priority 100 -globalBindType APPFW_GLOBAL
    => this fails becaus APPFW_GLOBAL is not accepted as value, I only have RNAT_GLOBAL, SYSTEM_GLOBAL and VPN_GLOBAL
    image.thumb.png.cb07f54a76745b27c579c4c6a30dc5ff.png

 

 

I noticed that a new global binding type (APPFW_GLOBAL) was introduced in version 13.1 build 12.51 (https://docs.citrix.com/en-us/citrix-adc/current-release/citrix-adc-release-notes/release-notes-13-1-12-51.html) but sending only the appfw logs to a separate syslog server should also be possible in version 13.0 I think?

 

Does someone has an idea / solution for this?

 

Thanks

 

GIjs.

 

image.png

Link to comment

2 answers to this question

Recommended Posts

  • 0
Gijs Lemahieu1709159845 Explorer

Gijs Lemahieu1709159845

Posted
  • Author
Posted

Hi Paul,

 

I ended up with creating a support ticket.

"APPFW_GLOBAL" was introduced in 13.1 release and this binding is missing from 13.0 or prior releases, citrix documentation (13.0) though, tells to use this binding...

 

https://support.citrix.com/article/CTX247887/how-to-configure-syslog-policy-to-segregate-app-firewall-logs

this article is working fine on ADC 13.0 (classic policies).

I've asked the support to update the 13.0 documentation.

 

Regards,

 

Gijs

Link to comment

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go to question listing

© Cloud Software Group, Inc. All rights reserved.

×
×
  • Create New...