Gijs Lemahieu1709159845 Posted September 19, 2022 Share Posted September 19, 2022 Hi, I would like to send all web app firewall logs to an external syslog server, to be able to parse them and tune the configuration based on the logs. Somehow this doesn't work, but documentation / forums about it are sometimes quite confusing and not very clear What I've done so far: edited the syslog.conf file : local2.* is now redirected to /var/log/appfw.log instead of iprep.log restarted the syslog process added a syslog action : add audit syslogAction sysact1 <ip> -serverPort <port> -logLevel ALL -logFacility LOCAL2 -userDefinedAuditlog YES added a syslog policy : add audit syslogPolicy syspol1 true sysact1 tried to bind this with this command : bind audit syslogGlobal -policyName syspol1 -priority 100 -globalBindType APPFW_GLOBAL => this fails becaus APPFW_GLOBAL is not accepted as value, I only have RNAT_GLOBAL, SYSTEM_GLOBAL and VPN_GLOBAL I noticed that a new global binding type (APPFW_GLOBAL) was introduced in version 13.1 build 12.51 (https://docs.citrix.com/en-us/citrix-adc/current-release/citrix-adc-release-notes/release-notes-13-1-12-51.html) but sending only the appfw logs to a separate syslog server should also be possible in version 13.0 I think? Does someone has an idea / solution for this? Thanks GIjs. Link to comment
0 Paul Blitz Posted September 23, 2022 Share Posted September 23, 2022 This any use to you? https://support.citrix.com/article/CTX138973/how-to-send-application-firewall-messages-to-a-separate-syslog-server Link to comment
0 Gijs Lemahieu1709159845 Posted September 26, 2022 Author Share Posted September 26, 2022 Hi Paul, I ended up with creating a support ticket. "APPFW_GLOBAL" was introduced in 13.1 release and this binding is missing from 13.0 or prior releases, citrix documentation (13.0) though, tells to use this binding... https://support.citrix.com/article/CTX247887/how-to-configure-syslog-policy-to-segregate-app-firewall-logs this article is working fine on ADC 13.0 (classic policies). I've asked the support to update the 13.0 documentation. Regards, Gijs Link to comment
Question
Gijs Lemahieu1709159845
Hi,
I would like to send all web app firewall logs to an external syslog server, to be able to parse them and tune the configuration based on the logs.
Somehow this doesn't work, but documentation / forums about it are sometimes quite confusing and not very clear
What I've done so far:
=> this fails becaus APPFW_GLOBAL is not accepted as value, I only have RNAT_GLOBAL, SYSTEM_GLOBAL and VPN_GLOBAL
I noticed that a new global binding type (APPFW_GLOBAL) was introduced in version 13.1 build 12.51 (https://docs.citrix.com/en-us/citrix-adc/current-release/citrix-adc-release-notes/release-notes-13-1-12-51.html) but sending only the appfw logs to a separate syslog server should also be possible in version 13.0 I think?
Does someone has an idea / solution for this?
Thanks
GIjs.
Link to comment
2 answers to this question
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now