Hi All,
I'm looking into our organisations logging setup for the Netscaler appliances, we had originally thought we had a relatively complete logging setup for the Netscalers - the below screencap shows our configured logging levels on the Logging Profile.
We have it setup to ship logs into our SIEM, and this seems to be fine - we are getting logs sent such as the below showing a user signed into one of the appliances:
<134> 01/01/2024:12:00:00 GMT Netscaler1 0-PPE-0 : default CLI CMD_EXECUTED 38785 0 : User XYZ - ADM_User NONE - Remote_ip 1.1.1.1 - Command "login XYZ "*"" - Status "Success"
Netscaler is also logging when commands are executed in the NetscalerCLI (Initial shell the user is dropped into when they SSH in - these events are also logging the source IP in the events):
<134> 01/01/2024:12:00:00 GMT Netscaler1 0-PPE-0 : default CLI CMD_EXECUTED 40048 0 : User XYZ - ADM_User NONE - Remote_ip 1.1.1.1 - Command "show ns runningConfig" - Status "Success"
The issue we're having is that we want the OS level logs, I'll bullet point a few things we're keen to grab:
- When a user SSH's into the box we should be grabbing the auth log showing the source/destination IP and port (Auth.log?)
- When a user drops into Bash we should be able to see the commands executed (bash.log? We expected to see this in the 'CMD EXECUTED' Events but they don't appear to be sent with our current setup)
- System events (Device is being shutdown, restarted etc.)
- File write/delete events? This might be something separate from the above points but we'd be keen to monitor some of the file paths where webshells were commonly observed being written to when exploited by CVE-2023-3519 (Exploitation of Citrix Zero-Day by Possible Espionage Actors (CVE-2023-3519) | Mandiant)
I suspect that for the first three bulletpoints we could perhaps use auditd but someone better informed please correct me, many thanks in advance for any feedback. Cheers!🙂