Citrix Netscaler Web Logs¶
About¶
Citrix NetScaler is an Application Delivery Controller (ADC) created to optimize, manage, and secure network traffic. It analyzes application-specific traffic to distribute, optimize, and protect Layer 4–Layer 7 (L4–L7) network traffic. A Citrix ADC, for example, bases load balancing choices on individual HTTP requests rather than long-lived TCP connections, allowing a server’s failure or delay to be managed considerably more promptly and with minor client inconvenience. Switching features, security and protection features, and server-farm efficiency capabilities are all part of its feature set.
Product Details¶
Vendor URL: Citrix ADC
Product Type: Web Proxy
Product Tier: Tier II
Integration Method: Syslog
Log Guide: Configuring Web Logs
Parser Details¶
Log Format: SYSLOG + KV
Expected Normalization Rate: near 90%
Data Label: CITRIX_NETSCALER
UDM Fields (list of all UDM fields leveraged in the Parser):
| Log File Field | UDM Field |
|---|---|
| additional_duration | additional.fields |
| additional_memory_actual | additional.fields |
| additional_memory_expected | additional.fields |
| agt | intermediary.ip |
| ahost | intermediary.hostname |
| asset_ip | principal.asset.ip |
| appName | principal.application |
| Browser | network.http.user_agent |
| Browser_type | network.http.user_agent |
| categoryOutcome | security_result.action_details |
| cip | target.ip |
| CipherSuite | network.tls.cipher |
| client_ip | principal.ip |
| ClientIP | principal.ip |
| ClientPort | principal.port |
| clientUsername | principal.user.userid |
| ClientVersion | network.tls.version |
| cn1 | metadata.product_log_id |
| Command | target.process.command_line |
| cs1 | security_result.rule_name |
| cs3 | network.session_id |
| description | metadata.description |
| description | security_result.summary |
| destinationTranslatedAddress | target.ip |
| destinationTranslatedPort | target.port |
| deviceNtDomain | principal.administrative_domain |
| dhost | target.hostname |
| domain | principal.administrative_domain |
| domain | target.administrative_domain |
| dpt | target.port |
| dst | target.ip |
| dstIP | target.ip |
| dstPrt | target.port |
| duser | target.user.userid |
| dvc | observer.ip |
| dvc | target.ip |
| dvchost | observer.hostname |
| dvchost | target.hostname |
| dvcpid | observer.process.pid |
| Errmsg | metadata.description |
| eventId | metadata.product_log_id |
| Failure_reason | metadata.description |
| feature message_type | metadata.product_event_type |
| fname | principal.application |
| fname | principal.process.command_line |
| geolocation | principal.asset.location.country_or_region |
| group_name | target.group.group_display_name |
| Group(s) | security_result.about.resource.name |
| hostname | observer.hostname |
| hostname | target.hostname |
| http_method | network.http.method |
| integer | target.port |
| message_type | metadata.product_event_type |
| method | network.http.method |
| Nat_ip | principal.artifact.ip |
| natIP | principal.asset.nat_ip |
| natip | principal.nat_ip |
| observer | target.hostname |
| observer | observer.hostname |
| observer | principal.ip |
| observer | target.ip |
| observer_domain | observer.domain.name |
| observer_ip | observer.ip |
| phostname | target.hostname |
| pid | target.process.pid |
| principal_ip | principal.ip |
| principal_port | principal.port |
| principal.user.userid | target.user.userid |
| reason | metadata.description |
| Reason | metadata.description |
| Remote_ip | principal.ip |
| remote_ip | principal.ip |
| request | target.url |
| sec_description | security_result.description |
| server_ip | target.ip |
| ServerIP | target.ip |
| ServerPort | target.port |
| sessionid | network.session_id |
| SessionId | network.session_id |
| severity | security_result.severity |
| severity | security_result.severity_details |
| shost | principal.hostname |
| sipp | principal.ip |
| spt | principal.port |
| src | principal.ip |
| srcIP | principal.ip |
| srcPrt | principal.port |
| SSLVPN_client_type | security_result.rule_name |
| status | security_result.action_details |
| suser | principal.user.userid |
| target_host | target.hostname |
| target_ip | target.ip |
| target_port | target.port |
| target_url | target.url |
| targeturl | target.url |
| TCP | network.ip_protocol |
| Total_bytes_recv | network.received_bytes |
| Total_bytes_send | network.sent_bytes |
| User | principal.user.userid |
| User | target.user.userid |
| user_email | target.user.email_addresses |
| userId | target.user.email_addresses |
| userId | target.user.userid |
| version | metadata.product_version |
| vport | target.port |
| vport | intermediary.port |
| Vserver_ip | intermediary.ip |
| vserverIP | target.ip |
| vserverIP | intermediary.ip |
| VserverServiceIP | observer.ip |
| VserverServicePort | observer.port |
| VserverServicePort | target.port |
| znatip | principal.nat_ip |
Product Event Types¶
| Event | UDM Event Classification |
|---|---|
| ![healthmon_grok_failed] | STATUS_UPDATE |
| ![no_value_observer] | PROCESS_LAUNCH |
| ![not_stats_event] | USER_STATS |
| [cefdata] != "" | GENERIC_EVENT |
| [cefdata] == "", [metadata] != "" | GENERIC_EVENT |
| [feature] == "AAA" | USER_LOGIN |
| [feature] == "AAATM" | USER_STATS |
| [feature] == "API" or [feature] == "GUI" | PROCESS_LAUNCH |
| [feature] == "SSLVPN" | NETWORK_CONNECTION |
| [feature] == "TCP" | NETWORK_CONNECTION |
| [healthmon_grok_failed] | GENERIC_EVENT |
| [message_type] == "ICASTART" | NETWORK_CONNECTION |
| [message_type] == "LOGIN" | USER_LOGIN |
| [message_type] == "SSLVPN ICAEND_CONNSTAT" | NETWORK_CONNECTION |
| [message_type] == "SSLVPN ICASTART" | NETWORK_CONNECTION |
| [message_type] =~ "CMD_EXECUTED" | PROCESS_LAUNCH |
| [message_type] =~ "CONN" | NETWORK_CONNECTION |
| [message_type] =~ "HTTP|APPFW" | NETWORK_HTTP |
| [message_type] =~ "LOGIN_FAILED" | USER_LOGIN |
| [message_type] =~ "SSLVPN LOGIN" | USER_LOGIN |
| [message_type] in [ "SSLVPN TCPCONNSTAT", "TCP CONN_DELINK" ] | NETWORK_CONNECTION |
| [message_type] in [ "TCPCONNSTAT", "UDPFLOWSTAT" ] | NETWORK_CONNECTION |
| [message] !~ "entitydown" | GENERIC_EVENT |
| [vserver] =~ ":" | NETWORK_CONNECTION |
Log Samples¶
Dec 29 13:12:50 10.10.10.1 CEF: 0|Citrix|NetScaler||SSLVPN TCPCONNSTAT|TCP Connection Information|Low| eventId=1000000123 msg=Context janedoe@10.10.1.1 - SessionId: 123456 - User janedoe - Client_ip 10.10.1.1 - Nat_ip 10.10.11.2 - Vserver 10.10.12.1:443 - Source 10.10.1.1:4438 - Destination 10.10.13.2:443 - Start_time "12/29/2022:13:12:49 " - End_time "12/29/2022:13:12:49 " - Duration 00:00:00 - Total_bytes_send 0 - Total_bytes_recv 54321 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "N/A" in=54321 out=0 categorySignificance=/Informational categoryBehavior=/Communicate/Response categoryDeviceGroup=/VPN catdt=Network-based IDS/IPS categoryOutcome=/Attempt categoryObject=/Host/Application/Service art=1672337570607 deviceSeverity=INFO act=Allowed rt=1672341169000 dvcpid=8001234 src=10.10.1.1 sourceZoneURI=/All Zones/ArcSight System/Public Address Space Zones/ARIN/155.0.0.0-10.1.1.1 (ARIN) suser=janedoe suid=janedoe@10.10.1.1 dhost=janedoepc-tx.example.com dst=10.10.12.1 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 destinationTranslatedAddress=10.10.13.2 destinationTranslatedZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dpt=443 destinationTranslatedPort=443 dpriv=N/A oldFileId=ProcessId: 8001234 deviceCustomDate1=1672341169000 cs1Label=Object cs2Label=Monitor cs3Label=Field cs4Label=Device cs6Label=Script deviceCustomDate1Label=End Time ahost=prdtxlvarccol29.associatesys.local agt=10.10.10.1 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 amac=00-E5-D4-C3-A1-B2 av=10.1.1.15 atz=US/Central at=syslog dvchost=prdTXapASCVPN05 dvc=10.157.72.10 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dtz=CST geid=0 _cefVer=0.1 ad.pid1=0-PPE-7 ad.ActionMode=default ad.Nat__ip=10.10.11.2 ad.sourcePort=4438 ad.sourceAddress=10.10.1.1 ad.Compression__ratio__send=0.00% ad.Total__compressedbytes__recv=0 ad.session=123456 ad.Compression__ratio__recv=0.00% ad.Duration=00:00:00 ad.Total__compressedbytes__send=0 aid=3eSBmYnkBABCLcVYo6k0iUQ\=\= smb_host=abcd-123456 smb_stage1=1234337943124 smb_uid=abcdefoFbN1fMbNY3tDb8Zw1234331234567890 smb_timezone=EST {"additional":[{"label":"smb_host","value":"abcd-123456"},{"label":"smb_stage1","value":"1234337943124"},{"label":"smb_uid","value":"abcdefoFbN1fMbNY3tDb8Zw1234331234567890"},{"label":"smb_timezone","value":"EST"}]}
Sample Parsing¶
metadata.product_log_id = "1000000123"
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_event_type = "SSLVPN TCPCONNSTAT"
metadata.description = "TCP Connection Information"
additional.fields["smb_timezone"] = "EST"
additional.fields["smb_host"] = "abcd-123456"
additional.fields["smb_stage1"] = "1234337943124"
additional.fields["smb_uid"] = "abcdefoFbN1fMbNY3tDb8Zw1234331234567890"
principal.user.userid = "janedoe"
principal.ip = "10.10.1.1"
principal.location.state = "Ontario"
principal.location.country_or_region = "Canada"
principal.location.region_latitude = 55.01222
principal.location.region_longitude = -90.483242
principal.nat_ip = "10.10.11.2"
principal.asset.ip = "10.10.1.1"
principal.ip_location.state = "Ontario"
principal.ip_location.country_or_region = "United States"
principal.ip_location.region_latitude = 55.01222
principal.ip_location.region_longitude = -90.483242
target.hostname = "janedoepc-tx.example.com"
target.user.userid = "janedoe"
target.process.pid = "8001234"
target.ip = "10.10.12.1"
target.ip = "10.10.13.2"
target.port = 443
target.asset.hostname = "janedoepc-tx.example.com"
target.asset.ip = "10.10.12.1"
target.asset.ip = "10.10.13.2"
intermediary.hostname = "prdtxlvarccol29.associatesys.local"
intermediary.ip = "10.10.10.1"
observer.hostname = "prdTXapASCVPN05"
observer.process.pid = "8001234"
security_result.category_details = "Network-based IDS/IPS"
security_result.summary = "TCP Connection Information"
security_result.description = "Context janedoe@10.10.1.1 - SessionId: 123456 - User janedoe - Client_ip 10.10.1.1 - Nat_ip 10.10.11.2 - Vserver 10.10.12.1:443 - Source 10.10.1.1:4438 - Destination 10.10.13.2:443 - Start_time "12/29/2022:13:12:49 " - End_time "12/29/2022:13:12:49 " - Duration 00:00:00 - Total_bytes_send 0 - Total_bytes_recv 54321 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "N/A""
security_result.action = "ALLOW"
security_result.severity = "LOW"
security_result.severity_details = "Low"
security_result.action_details = "Attempt"
network.received_bytes = 54321
network.ip_protocol = "TCP"
network.session_id = "123456"
Parser Alerting¶
This product currently does not have any Parser-based Alerting