Netscaler Appliances Logging

[Sam Taylor]

Hi All,

 

I'm looking into our organisations logging setup for the Netscaler appliances, we had originally thought we had a relatively complete logging setup for the Netscalers  - the below screencap shows our configured logging levels on the Logging Profile.

 

 

We have it setup to ship logs into our SIEM, and this seems to be fine - we are getting logs sent such as the below showing a user signed into one of the appliances:

<134> 01/01/2024:12:00:00 GMT Netscaler1 0-PPE-0 : default CLI CMD_EXECUTED 38785 0 :  User XYZ - ADM_User NONE - Remote_ip 1.1.1.1 - Command "login XYZ "*"" - Status "Success"

 

Netscaler is also logging when commands are executed in the NetscalerCLI (Initial shell the user is dropped into when they SSH in - these events are also logging the source IP in the events):

<134> 01/01/2024:12:00:00 GMT Netscaler1 0-PPE-0 : default CLI CMD_EXECUTED 40048 0 :  User XYZ - ADM_User NONE - Remote_ip 1.1.1.1 - Command "show ns runningConfig" - Status "Success"

 

 

The issue we're having is that we want the OS level logs, I'll bullet point a few things we're keen to grab:

- When a user SSH's into the box we should be grabbing the auth log showing the source/destination IP and port (Auth.log?)

- When a user drops into Bash we should be able to see the commands executed (bash.log? We expected to see this in the 'CMD EXECUTED' Events but they don't appear to be sent with our current setup)

- System events (Device is being shutdown, restarted etc.)

- File write/delete events? This might be something separate from the above points but we'd be keen to monitor some of the file paths where webshells were commonly observed being written to when exploited by CVE-2023-3519 (Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) | Mandiant) 

 

I suspect that for the first three bulletpoints we could perhaps use auditd but someone better informed please correct me, many thanks in advance for any feedback. Cheers!🙂

[brysojl]

You need to enable DEBUG Log Level for Syslog Events from NetScaler CLI

[Nicola Campaci]

Hi

Netscasler sends only ns.log to external syslog server

Other freeBSD logs are not send to external, like bash.log http.log ecc

https://support.citrix.com/article/CTX564341/syslog-configuration-on-netscaler-only-send-varlognslog-to-outside-syslog-server

Evolutions in this regard are expected with the 14.1 release

[Sam Taylor]

@Nicola Campaci Thanks for the response and the article, good to know - I saw there's a recent 14.1 release but haven't yet seen if the release provides any new features 

[Nicola Campaci]

On 2/22/2024 at 3:30 PM, Sam Taylor said:

@Nicola Campaci Thanks for the response and the article, good to know - I saw there's a recent 14.1 release but haven't yet seen if the release provides any new features 

@Sam Taylor 

Some good News

Only in rel 14.1, from build 12.30 and later, you can configure the follow syslog parapeter: 

-managementlog Types of management logs that you must export.

The following options are available:

• ALL: Includes all categories of management and host logs.
• SHELL: Includes bash.log and sh.log.
• Access: Includes logs such as auth.log, nsvpn.log, vpndebug.log, httpaccess.log,httperror.log, httpaccess-vpn.log, and httperror-vpn.log.
• NSMGMT: Includes ns.log and notice.log.
• NONE: None of the logs are exported.

Works with SPLUNK. I don't know if it works with others softwares

 

[Sam Taylor]

On 2/26/2024 at 10:38 PM, Nicola Campaci said:

@Sam Taylor 

Some good News

Only in rel 14.1, from build 12.30 and later, you can configure the follow syslog parapeter: 

-managementlog Types of management logs that you must export.

The following options are available:

• ALL: Includes all categories of management and host logs.
• SHELL: Includes bash.log and sh.log.
• Access: Includes logs such as auth.log, nsvpn.log, vpndebug.log, httpaccess.log,httperror.log, httpaccess-vpn.log, and httperror-vpn.log.
• NSMGMT: Includes ns.log and notice.log.
• NONE: None of the logs are exported.

Works with SPLUNK. I don't know if it works with others softwares

 

Thanks Nicola, this is the way to collect the logs we want - Splunk is also not required

[Komal Bhardwaj]

Yes, the Management logs / Non Packet Engine logs feature was recently released in 14.1 version. Let me know if this serves your requirements.