Jump to content
Welcome to our new Citrix community!

Netscaler Appliances Logging


Go to solution Solved by Nicola Campaci,

Recommended Posts

Hi All,

 

I'm looking into our organisations logging setup for the Netscaler appliances, we had originally thought we had a relatively complete logging setup for the Netscalers  - the below screencap shows our configured logging levels on the Logging Profile.

 

Netscalerlogginglevels.png.5e97f23a685bd4c7a5a7d03ed9f6aa7e.png

 

We have it setup to ship logs into our SIEM, and this seems to be fine - we are getting logs sent such as the below showing a user signed into one of the appliances:

<134> 01/01/2024:12:00:00 GMT Netscaler1 0-PPE-0 : default CLI CMD_EXECUTED 38785 0 :  User XYZ - ADM_User NONE - Remote_ip 1.1.1.1 - Command "login XYZ "*"" - Status "Success"

 

Netscaler is also logging when commands are executed in the NetscalerCLI (Initial shell the user is dropped into when they SSH in - these events are also logging the source IP in the events):

<134> 01/01/2024:12:00:00 GMT Netscaler1 0-PPE-0 : default CLI CMD_EXECUTED 40048 0 :  User XYZ - ADM_User NONE - Remote_ip 1.1.1.1 - Command "show ns runningConfig" - Status "Success"

 

 

The issue we're having is that we want the OS level logs, I'll bullet point a few things we're keen to grab:

- When a user SSH's into the box we should be grabbing the auth log showing the source/destination IP and port (Auth.log?)

- When a user drops into Bash we should be able to see the commands executed (bash.log? We expected to see this in the 'CMD EXECUTED' Events but they don't appear to be sent with our current setup)

- System events (Device is being shutdown, restarted etc.)

- File write/delete events? This might be something separate from the above points but we'd be keen to monitor some of the file paths where webshells were commonly observed being written to when exploited by CVE-2023-3519 (Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) | Mandiant

 

I suspect that for the first three bulletpoints we could perhaps use auditd but someone better informed please correct me, many thanks in advance for any feedback. Cheers!🙂

Link to comment
Share on other sites

  • 2 weeks later...
  • Solution
On 2/22/2024 at 3:30 PM, Sam Taylor said:

@Nicola Campaci Thanks for the response and the article, good to know - I saw there's a recent 14.1 release but haven't yet seen if the release provides any new features 

@Sam Taylor 

Some good News

image.thumb.png.e5babbe27d712a090272389bc1a05432.png

Only in rel 14.1, from build 12.30 and later, you can configure the follow syslog parapeter: 

-managementlog Types of management logs that you must export.

The following options are available:

  • ALL: Includes all categories of management and host logs.
  • SHELL: Includes bash.log and sh.log.
  • Access: Includes logs such as auth.log, nsvpn.log, vpndebug.log, httpaccess.log,httperror.log, httpaccess-vpn.log, and httperror-vpn.log.
  • NSMGMT: Includes ns.log and notice.log.
  • NONE: None of the logs are exported.

Works with SPLUNK. I don't know if it works with others softwares

 

Link to comment
Share on other sites

  • 2 weeks later...
On 2/26/2024 at 10:38 PM, Nicola Campaci said:

@Sam Taylor 

Some good News

image.thumb.png.e5babbe27d712a090272389bc1a05432.png

Only in rel 14.1, from build 12.30 and later, you can configure the follow syslog parapeter: 

-managementlog Types of management logs that you must export.

The following options are available:

  • ALL: Includes all categories of management and host logs.
  • SHELL: Includes bash.log and sh.log.
  • Access: Includes logs such as auth.log, nsvpn.log, vpndebug.log, httpaccess.log,httperror.log, httpaccess-vpn.log, and httperror-vpn.log.
  • NSMGMT: Includes ns.log and notice.log.
  • NONE: None of the logs are exported.

Works with SPLUNK. I don't know if it works with others softwares

 

Thanks Nicola, this is the way to collect the logs we want - Splunk is also not required

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...