Console
    Contact Us Start free

    Collect NetScaler logs

    Supported in:

    This document describes how you can collect the NetScaler logs by using a Google Security Operations forwarder.

    For more information, see Data ingestion to Google Security Operations overview .

    An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CITRIX_NETSCALER ingestion label.

    Configure NetScaler VPX

    To configure the NetScaler VPX to send logs to the Google Security Operations forwarder, do the following:

    Verify hostname configuration

    1. Sign in to the NetScaler web interface using administrator credentials.
    2. Select Configuration > Settings.
    3. Click Host name, DNS IP address, and Time zone.
    4. If the Host namefield is empty, enter the hostname. Don't include spaces. If this field is already configured, then no action is required.
    5. In the DNS IP addressfield, verify if the local DNS IP address is specified.
    6. In the Time zonefield, enter your time zone.

    Create auditing server

    1. In the NetScaler web interface, select Configuration > System > Auditing > Syslog > Servers.
    2. Specify the syslog details in the following fields:
      • Name
      • Server type
      • IP address
      • Port
    3. Select Log levelsas Custom.
    4. Select all checkboxes except DEBUGlevel in the configuration.
    5. In the Log facilitylist, select LOCAL0.
    6. In the Date formatlist, select MMDDYYYY.
    7. Select Time zoneas GMT.
    8. Clear the following checkboxes:
      • TCP logging
      • ACL logging
      • User configurable log messages
      • AppFlow logging
      • Large scale NAT logging
      • ALG messages logging
      • Subscriber logging
      • DNS
      • SSL interception
      • URL filtering
      • Content inspection logging
    9. Click Okto create the auditing server.

    Bind the created audit policy to the server

    1. In the NetScaler web interface, select Configuration > System > Auditing > Syslog.
    2. Click Policiestab.
    3. In the Namefield, enter a name for the policy.
    4. In the Serverlist, select the policy from the previous section.
    5. Click Create.
    6. Right-click the created auditing policy and select Action > Global bindings.
    7. Click Add binding.
    8. In the Policy bindingwindow, do the following:
      1. In the Select policyfield, enter the created audit policy.
      2. In the Binding detailspane, in the Priorityfield, enter 120as it is the default priority.
      3. Click Bind.

    Configure NetScaler SDX

    To configure the NetScaler SDX to send logs to the Google Security Operations forwarder, do the following:

    Verify hostname configuration for NetScaler SDX

    1. Sign in to the NetScaler web interface using administrator credentials.
    2. In the NetScaler web interface, select System > System settings.
    3. If the Host namefield is empty, enter the hostname. Don't include spaces. If this field is already configured, then no action is required.
    4. In the Time zonefield, select UTCor GMT.

    Configure the syslog server

    1. In the NetScaler web interface, select System > Notifications > Syslog servers.
    2. In the Detailspane, click Add.
    3. In the Create syslog serverwindow, specify values for the following syslog server parameters:
      1. In the Namefield, enter a name.
      2. In the IP addressfield, enter the Google Security Operations forwarder IP address.
      3. In the Portfield, port number.
      4. Select Log levelsas Custom.
      5. Select all log levels except Debug.
    4. Click Create.

    Configure the syslog parameters

    1. In the NetScaler web interface, select System > Notifications > Syslog servers.
    2. In the Detailspane, click Syslog parameters.
    3. In the Configure syslog parameterspage, select Date formatas MMDDYYYYand select Time zoneas GMT.
    4. Click Ok.

    Configure the Google Security Operations forwarder to ingest NetScaler logs

    1. Select SIEM Settings > Forwarders.
    2. Click Add new forwarder.
    3. In the Forwarder namefield, enter a unique name for the forwarder.
    4. Click Submitand then click Confirm. The forwarder is added and the Add collector configurationwindow appears.
    5. In the Collector namefield, type a unique name for the collector.
    6. Select Citrix NetScaleras the Log type.
    7. In the Collector typefield, select Syslog.
    8. Configure the following mandatory input parameters:
      • Protocol: specify the connection protocol that the collector uses to listen to syslog data.
      • Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
      • Port: specify the target port where the collector resides and listens to syslog data.
    9. Click Submit.

    For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI .

    If you encounter issues when you create forwarders, contact Google Security Operations support .

    Field mapping reference

    This parser processes Citrix Netscaler SYSLOG logs in key-value format, extracting JSON-formatted data from the message field and enriching the UDM with information from other fields like host.hostname and user_agent.original after sanitizing them. It handles cases where the primary message is empty by falling back to the original log message.

    UDM mapping table

    Log Field UDM Mapping Logic
    AAA trans id
    		 security_result.detection_fields[].value Value extracted from "AAA trans id" field.
    Access
    		 security_result.action_details If "Access" is "Allowed", set security_result.action to ALLOW. If "Access" is "Denied", set security_result.action to BLOCK.
    applicationName
    		 principal.application Value extracted from "applicationName" field.
    Browser_type
    		 network.http.user_agent Value extracted from "Browser_type" field.
    ClientIP
    		 principal.ip , principal.asset.ip Value extracted from "ClientIP" field.
    ClientPort
    		 principal.port Value extracted from "ClientPort" field.
    client_cookie
    		 additional.fields[].value.string_value Value extracted from "client_cookie" field.
    Command
    		 target.process.command_line Value extracted from "Command" field.
    connectionId
    		 security_result.detection_fields[].value Value extracted from "connectionId" field.
    Destination
    		 target.ip , target.asset.ip Value extracted from "Destination" field.
    Destination
    		 target.ip , target.asset.ip Value extracted from "Destination" field.
    device_serial_number
    		 target.asset_id target.asset_id is set to "device_serial_number: ".
    Duration
    		 network.session_duration.seconds Duration is converted to seconds and mapped.
    End Time
    		 security_result.detection_fields[].value Value extracted from "End Time" field.
    Failure_reason
    		 metadata.description Value extracted from "Failure_reason" field.
    flags
    		 additional.fields[].value.string_value Value extracted from "flags" field.
    Group(s)
    		 target.group.group_display_name Value extracted from "Group(s)" field.
    Reason
    		 metadata.description Value extracted from "Reason" field.
    Remote_ip
    		 target.ip , target.asset.ip Value extracted from "Remote_ip" field.
    ServerIP
    		 target.ip , target.asset.ip Value extracted from "ServerIP" field.
    ServerPort
    		 target.port Value extracted from "ServerPort" field.
    session_guid
    		 metadata.product_log_id Value extracted from "session_guid" field.
    SessionId
    		 network.session_id Value extracted from "SessionId" field.
    Source
    		 principal.ip , principal.asset.ip Value extracted from "Source" field.
    Start Time
    		 security_result.detection_fields[].value Value extracted from "Start Time" field.
    startTime
    		 security_result.detection_fields[].value Value extracted from "startTime" field.
    Status
    		 security_result.description Value extracted from "Status" field.
    Total_bytes_recv
    		 network.received_bytes Value extracted from "Total_bytes_recv" field.
    Total_bytes_send
    		 network.sent_bytes Value extracted from "Total_bytes_send" field.
    Total_bytes_wire_recv
    		 security_result.detection_fields[].value Value extracted from "Total_bytes_wire_recv" field.
    Total_bytes_wire_send
    		 security_result.detection_fields[].value Value extracted from "Total_bytes_wire_send" field.
    User
    		 principal.user.userid Value extracted from "User" field.
    VserverServiceIP
    		 target.ip , target.asset.ip Value extracted from "VserverServiceIP" field.
    VserverServicePort
    		 target.port Value extracted from "VserverServicePort" field. Hardcoded to "CITRIX". Hardcoded to "NETSCALER". Hardcoded to "CITRIX_NETSCALER". Determined by the parser based on the product_event_type. Examples: NETWORK_CONNECTION, USER_LOGIN, USER_LOGOUT, USER_STATS, STATUS_UPDATE, USER_UNCATEGORIZED, GENERIC_EVENT. Value extracted from the log prefix (e.g., CONN_DELINK, CONN_TERMINATE, OTHERCONN_DELINK, etc.). A short description of the event, sometimes derived from other fields like "Reason" or "Failure_reason". Calculated from the date and time fields in the log entry. The parser handles various formats and timezones. Extracted from the "username:domainname" field, taking the part after the colon. Hardcoded to TCP for events with "TCP" in metadata.product_event_type . Set to ALLOW for successful logins and commands, BLOCK for failed logins and blocked resource access. Derived from fields like "Status", "Failure_reason", and "Access". Set to USERNAME_PASSWORD when username and password are used for authentication (inferred from certain log messages). Set to VPN for VPN related login/logout events. Parsed from the network.http.user_agent field using a user-agent parsing library.

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: