Jump to content
Welcome to our new Citrix community!

Syslog via TCP: LineFeed characters in Message part complicates parsing at syslog destination

Recommended Posts

We have configured Syslog on our CitrixADCs to use TCP as transport. This means that a single TCP packet can contain multiple syslog messages, separated by LineFeed (0x0A) character.

So far so good, but I noticed that  "ns_auth2_post_auth_epa_report" message contains LineFeed characters in the message part, breaking the parsing of syslog messages on our receiver side.


Example content of a single TCP packet received at our syslog server containing 6 syslog messages, but due to the LineFeed characters inside syslog message 4, this is handled as 9 separate syslog messages. Of course the syslog messages on line 5-7 cannot be parsed due to missing header.

<134> 2022/11/07:10:59:02  <hostname> 0-PPE-0 : default SSLVPN Message 4116300 0 :  "get_session user: <user>@<domain>, aaa_info flags 40011 flags2 1f20000, new webview 0, sess flags2 200000, flags3 78040 flags4 800 ssoDomain <domain>, ssoUsername: <user>@<domain>, ssoUsername2: <user>@<domain>"
<134> 2022/11/07:10:59:02  <hostname> 0-PPE-0 : default AAA EXTRACTED_GROUPS 4116301 0 :  Extracted_groups "<groups>"
<134> 2022/11/07:10:59:02  <hostname> 0-PPE-0 : default SSLVPN Message 4116305 0 :  "epaqs_session_report: Done initializing session; client_type 1, authv2 200000, flags2 200000, flags3 78068"
<134> 2022/11/07:10:59:02  <hostname> 0-PPE-0 : default SSLVPN Message 4116306 0 :  "ns_auth2_post_auth_epa_report:******
flags2 200000, flags3 78068, v2setclient 1
<134> 2022/11/07:10:59:02  <hostname> 0-PPE-0 : default SSLVPN Message 4116310 0 :  "[CGP][ICAUUID=<ICAUUID>] App/Desktop launch initiated {client=<srcip>:<port>}"
<134> 2022/11/07:10:59:02  <hostname> 0-PPE-0 : default SSLVPN ICASTART 4116321 0 :  Source <srcip>:<port> - Destination <dstip>:2598 - customername  - username:domainname <user>@<domain>: - applicationName <appname> $A22-12-97DCA4D9-0001 - startTime "2022/11/07:10:59:02 " - connectionId 10912706

Our syslog configuration on CTXADC looks like:

add audit syslogAction SLA_<name> <ip> -serverPort 514 -transport TCP -tcpProfileName nstcp_default_profile -logLevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL -dateFormat YYYYMMDD -timeZone LOCAL_TIME
add audit syslogPolicy SLP_<name> true SLA_<name>
bind audit syslogGlobal -policyName SLP_<name> -priority 100

Does anyone recognize this behavior and knows if this can be fixed?


Furthermore, syslog generated by CitrixADC does not adhere to either RFC3164 (wrong timestamp) or RFC5424, I fixed this on our syslog receiver side (syslog-ng) by a rewrite rule to adjust timestamp according to RFC3164 specification.

Is there any other way to ensure CitrixADC is sending syslog conform either RFC?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
  • Create New...