Sam Taylor Posted January 31 Share Posted January 31 Hi All, I'm looking into our organisations logging setup for the Netscaler appliances, we had originally thought we had a relatively complete logging setup for the Netscalers - the below screencap shows our configured logging levels on the Logging Profile. We have it setup to ship logs into our SIEM, and this seems to be fine - we are getting logs sent such as the below showing a user signed into one of the appliances: <134> 01/01/2024:12:00:00 GMT Netscaler1 0-PPE-0 : default CLI CMD_EXECUTED 38785 0 : User XYZ - ADM_User NONE - Remote_ip 1.1.1.1 - Command "login XYZ "*"" - Status "Success" Netscaler is also logging when commands are executed in the NetscalerCLI (Initial shell the user is dropped into when they SSH in - these events are also logging the source IP in the events): <134> 01/01/2024:12:00:00 GMT Netscaler1 0-PPE-0 : default CLI CMD_EXECUTED 40048 0 : User XYZ - ADM_User NONE - Remote_ip 1.1.1.1 - Command "show ns runningConfig" - Status "Success" The issue we're having is that we want the OS level logs, I'll bullet point a few things we're keen to grab: - When a user SSH's into the box we should be grabbing the auth log showing the source/destination IP and port (Auth.log?) - When a user drops into Bash we should be able to see the commands executed (bash.log? We expected to see this in the 'CMD EXECUTED' Events but they don't appear to be sent with our current setup) - System events (Device is being shutdown, restarted etc.) - File write/delete events? This might be something separate from the above points but we'd be keen to monitor some of the file paths where webshells were commonly observed being written to when exploited by CVE-2023-3519 (Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) | Mandiant) I suspect that for the first three bulletpoints we could perhaps use auditd but someone better informed please correct me, many thanks in advance for any feedback. Cheers!🙂 Link to comment Share on other sites More sharing options...
brysojl Posted February 7 Share Posted February 7 You need to enable DEBUG Log Level for Syslog Events from NetScaler CLI Link to comment Share on other sites More sharing options...
Nicola Campaci Posted February 14 Share Posted February 14 Hi Netscasler sends only ns.log to external syslog server Other freeBSD logs are not send to external, like bash.log http.log ecc https://support.citrix.com/article/CTX564341/syslog-configuration-on-netscaler-only-send-varlognslog-to-outside-syslog-server Evolutions in this regard are expected with the 14.1 release Link to comment Share on other sites More sharing options...
Sam Taylor Posted February 22 Author Share Posted February 22 @Nicola Campaci Thanks for the response and the article, good to know - I saw there's a recent 14.1 release but haven't yet seen if the release provides any new features Link to comment Share on other sites More sharing options...
Solution Nicola Campaci Posted February 26 Solution Share Posted February 26 On 2/22/2024 at 3:30 PM, Sam Taylor said: @Nicola Campaci Thanks for the response and the article, good to know - I saw there's a recent 14.1 release but haven't yet seen if the release provides any new features @Sam Taylor Some good News Only in rel 14.1, from build 12.30 and later, you can configure the follow syslog parapeter: -managementlog Types of management logs that you must export. The following options are available: ALL: Includes all categories of management and host logs. SHELL: Includes bash.log and sh.log. Access: Includes logs such as auth.log, nsvpn.log, vpndebug.log, httpaccess.log,httperror.log, httpaccess-vpn.log, and httperror-vpn.log. NSMGMT: Includes ns.log and notice.log. NONE: None of the logs are exported. Works with SPLUNK. I don't know if it works with others softwares Link to comment Share on other sites More sharing options...
Sam Taylor Posted March 12 Author Share Posted March 12 On 2/26/2024 at 10:38 PM, Nicola Campaci said: @Sam Taylor Some good News Only in rel 14.1, from build 12.30 and later, you can configure the follow syslog parapeter: -managementlog Types of management logs that you must export. The following options are available: ALL: Includes all categories of management and host logs. SHELL: Includes bash.log and sh.log. Access: Includes logs such as auth.log, nsvpn.log, vpndebug.log, httpaccess.log,httperror.log, httpaccess-vpn.log, and httperror-vpn.log. NSMGMT: Includes ns.log and notice.log. NONE: None of the logs are exported. Works with SPLUNK. I don't know if it works with others softwares Thanks Nicola, this is the way to collect the logs we want - Splunk is also not required Link to comment Share on other sites More sharing options...
Komal Bhardwaj Posted March 12 Share Posted March 12 Yes, the Management logs / Non Packet Engine logs feature was recently released in 14.1 version. Let me know if this serves your requirements. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now