Jump to content
Welcome to our new Citrix community!

Customizing logging via Message Action for "tcp-relay-vserver" from Client to Backend Server


nlffel439

Recommended Posts

Hi guys

I am facing the following problem.
I have a vServer that is a pure TCP relay, and can fully trace the connections made to it in the LOG. 
I want to create an Audit Message Action that logs not only the information to the vServer but also the information to the backend (for example over which port the SNIP addresses the backend).

 

Currently I got the following solved in the policy:

"Access from -" + CLIENT.IP.SRC+"-srcport-"+CLIENT.TCP.SRCPORT+"-to-"+ CLIENT.IP.DST+ "-dstport-" +CLIENT.TCP.DSTPORT

 

The result would be:

"Access from -<CLIENT.IP>-srcport-60771-to-<VSERVER.IP>-dstport-2446"

Ports or names are only examples here

 

I bound this audit message action to a responder policy and then sent it to the TCP-RELAY-vServer

 

Wish would be :
 

"Access from -<CLIENT.IP>-srcport-60771-to-<VSERVER.IP>-dstport-2446"-to-backend-<BACKEND.SERVER.IP><BACKEND.SERVER.PORT>-via-<SNIP_PORT>


So that I can see in the log the complete path of the TCP connection to the backend

 

Link to comment
Share on other sites

Good Morning,

the example below logs all involved IP Addresses and Ports from Client to the Backend. The trick is to use a Rewrite Policy and bind it as type RESPONSE to your TCP Virtual Server.

 

 

1. Create Audit Message Action:

add audit messageaction AMA_Log_ClientAccess WARNING "\"Time: \"+SYS.TIME.TO_LOCAL+\" ####### Frontend: \"+CLIENT.IP.SRC+\":\"+CLIENT.TCP.SRCPORT+\" -> \"+CLIENT.IP.DST+\":\"+CLIENT.TCP.DSTPORT+\" ####### Backend: \"+SERVER.IP.DST+\":\"+SERVER.TCP.DSTPORT+\" -> \"+SERVER.IP.SRC+\":\"+SERVER.TCP.SRCPORT" -logtoNewnslog YES

2. Create Rewrite Policy which is used to Log the Audit Message Action:

add rewrite policy pol_rw_Log_ClientAccess true NOREWRITE -logAction AMA_Log_ClientAccess

3. Bind your Rewrite Policy to your Virtual Server. Use Type RESPONSE:

bind lb vserver <VServer> -policyName pol_rw_Log_ClientAccess -priority 100 -gotoPriorityExpression END -type RESPONSE

 

Logged Data in /var/log/ns.log:

 "Time: Fri, 10 Mar 2023 07:58:29 CET ####### Frontend: <Client IP>:<ClientPort>-> <Virtual Server IP>:<VirtualServerPort> ####### Backend: <SNIP>:<SNIP Port> -> <Backend IP>:<Backend Port>"
 "Time: Fri, 10 Mar 2023 07:58:29 CET ####### Frontend: 192.168.1.10:58424 -> 192.168.2.20:25 ####### Backend: 192.168.3.30:32136 -> 192.168.3.40:25"
 

Best regards,

Jens

  • Like 2
Link to comment
Share on other sites

33 minutes ago, Jens Dellner said:

Good Morning,

the example below logs all involved IP Addresses and Ports from Client to the Backend. The trick is to use a Rewrite Policy and bind it as type RESPONSE to your TCP Virtual Server.

 

 

1. Create Audit Message Action:

add audit messageaction AMA_Log_ClientAccess WARNING "\"Time: \"+SYS.TIME.TO_LOCAL+\" ####### Frontend: \"+CLIENT.IP.SRC+\":\"+CLIENT.TCP.SRCPORT+\" -> \"+CLIENT.IP.DST+\":\"+CLIENT.TCP.DSTPORT+\" ####### Backend: \"+SERVER.IP.DST+\":\"+SERVER.TCP.DSTPORT+\" -> \"+SERVER.IP.SRC+\":\"+SERVER.TCP.SRCPORT" -logtoNewnslog YES

2. Create Rewrite Policy which is used to Log the Audit Message Action:

add rewrite policy pol_rw_Log_ClientAccess true NOREWRITE -logAction AMA_Log_ClientAccess

3. Bind your Rewrite Policy to your Virtual Server. Use Type RESPONSE:

bind lb vserver <VServer> -policyName pol_rw_Log_ClientAccess -priority 100 -gotoPriorityExpression END -type RESPONSE

 

Logged Data in /var/log/ns.log:

 "Time: Fri, 10 Mar 2023 07:58:29 CET ####### Frontend: <Client IP>:<ClientPort>-> <Virtual Server IP>:<VirtualServerPort> ####### Backend: <SNIP>:<SNIP Port> -> <Backend IP>:<Backend Port>"
 "Time: Fri, 10 Mar 2023 07:58:29 CET ####### Frontend: 192.168.1.10:58424 -> 192.168.2.20:25 ####### Backend: 192.168.3.30:32136 -> 192.168.3.40:25"
 

Best regards,

Jens

 

 

Good morning Jens,

great, that's exactly what I meant ?

Thanks for the support.

Best regards,
Nino

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...