Skip to content

Citrix Netscaler Web Logs

Citrix

About

Citrix NetScaler is an Application Delivery Controller (ADC) created to optimize, manage, and secure network traffic. It analyzes application-specific traffic to distribute, optimize, and protect Layer 4–Layer 7 (L4–L7) network traffic. A Citrix ADC, for example, bases load balancing choices on individual HTTP requests rather than long-lived TCP connections, allowing a server’s failure or delay to be managed considerably more promptly and with minor client inconvenience. Switching features, security and protection features, and server-farm efficiency capabilities are all part of its feature set.

Product Details

Vendor URL: Citrix ADC

Product Type: Web Proxy

Product Tier: Tier II

Integration Method: Syslog

Log Guide: Configuring Web Logs

Parser Details

Log Format: SYSLOG + KV

Expected Normalization Rate: near 90%

Data Label: CITRIX_NETSCALER

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field UDM Field
additional_duration additional.fields
additional_memory_actual additional.fields
additional_memory_expected additional.fields
agt intermediary.ip
ahost intermediary.hostname
asset_ip principal.asset.ip
appName principal.application
Browser network.http.user_agent
Browser_type network.http.user_agent
categoryOutcome security_result.action_details
cip target.ip
client_ip principal.ip
ClientIP principal.ip
ClientPort principal.port
clientUsername principal.user.userid
cn1 metadata.product_log_id
Command target.process.command_line
cs1 security_result.rule_name
cs3 network.session_id
description metadata.description
description security_result.summary
destinationTranslatedAddress target.ip
destinationTranslatedPort target.port
deviceNtDomain principal.administrative_domain
dhost target.hostname
domain principal.administrative_domain
domain target.administrative_domain
dpt target.port
dst target.ip
dstIP target.ip
dstPrt target.port
duser target.user.userid
dvc observer.ip
dvc target.ip
dvchost observer.hostname
dvchost target.hostname
dvcpid observer.process.pid
Errmsg metadata.description
eventId metadata.product_log_id
Failure_reason metadata.description
feature message_type metadata.product_event_type
fname principal.application
fname principal.process.command_line
geolocation principal.asset.location.country_or_region
group_name target.group.group_display_name
Group(s) security_result.about.resource.name
hostname observer.hostname
hostname target.hostname
http_method network.http.method
integer target.port
message_type metadata.product_event_type
method network.http.method
Nat_ip principal.artifact.ip
natIP principal.asset.nat_ip
natip principal.nat_ip
observer target.hostname
observer observer.hostname
observer principal.ip
observer target.ip
observer_domain observer.domain.name
observer_ip observer.ip
phostname target.hostname
pid target.process.pid
principal_ip principal.ip
principal_port principal.port
principal.user.userid target.user.userid
reason metadata.description
Reason metadata.description
Remote_ip principal.ip
remote_ip principal.ip
request target.url
sec_description security_result.description
server_ip target.ip
ServerIP target.ip
ServerPort target.port
sessionid network.session_id
SessionId network.session_id
severity security_result.severity
severity security_result.severity_details
shost principal.hostname
sipp principal.ip
spt principal.port
src principal.ip
srcIP principal.ip
srcPrt principal.port
SSLVPN_client_type security_result.rule_name
status security_result.action_details
suser principal.user.userid
target_host target.hostname
target_ip target.ip
target_port target.port
target_url target.url
targeturl target.url
TCP network.ip_protocol
Total_bytes_recv network.received_bytes
Total_bytes_send network.sent_bytes
User principal.user.userid
User target.user.userid
user_email target.user.email_addresses
userId target.user.email_addresses
userId target.user.userid
version metadata.product_version
vport target.port
vport intermediary.port
Vserver_ip intermediary.ip
vserverIP target.ip
vserverIP intermediary.ip
VserverServicePort target.port
znatip principal.nat_ip

Product Event Types

Event UDM Event Classification
![healthmon_grok_failed] STATUS_UPDATE
![no_value_observer] PROCESS_LAUNCH
![not_stats_event] USER_STATS
[cefdata] != "" GENERIC_EVENT
[cefdata] == "", [metadata] != "" GENERIC_EVENT
[feature] == "AAA" USER_LOGIN
[feature] == "AAATM" USER_STATS
[feature] == "API" or [feature] == "GUI" PROCESS_LAUNCH
[feature] == "SSLVPN" NETWORK_CONNECTION
[feature] == "TCP" NETWORK_CONNECTION
[healthmon_grok_failed] GENERIC_EVENT
[message_type] == "ICASTART" NETWORK_CONNECTION
[message_type] == "LOGIN" USER_LOGIN
[message_type] == "SSLVPN ICAEND_CONNSTAT" NETWORK_CONNECTION
[message_type] == "SSLVPN ICASTART" NETWORK_CONNECTION
[message_type] =~ "CMD_EXECUTED" PROCESS_LAUNCH
[message_type] =~ "CONN" NETWORK_CONNECTION
[message_type] =~ "HTTP|APPFW" NETWORK_HTTP
[message_type] =~ "LOGIN_FAILED" USER_LOGIN
[message_type] =~ "SSLVPN LOGIN" USER_LOGIN
[message_type] in [ "SSLVPN TCPCONNSTAT", "TCP CONN_DELINK" ] NETWORK_CONNECTION
[message_type] in [ "TCPCONNSTAT", "UDPFLOWSTAT" ] NETWORK_CONNECTION
[message] !~ "entitydown" GENERIC_EVENT
[vserver] =~ ":" NETWORK_CONNECTION

Log Samples

Dec 29 13:12:50 10.10.10.1 CEF: 0|Citrix|NetScaler||SSLVPN TCPCONNSTAT|TCP Connection Information|Low| eventId=1000000123 msg=Context janedoe@10.10.1.1 - SessionId: 123456 - User janedoe - Client_ip 10.10.1.1 - Nat_ip 10.10.11.2 - Vserver 10.10.12.1:443 - Source 10.10.1.1:4438 - Destination 10.10.13.2:443 - Start_time "12/29/2022:13:12:49 " - End_time "12/29/2022:13:12:49 " - Duration 00:00:00  - Total_bytes_send 0 - Total_bytes_recv 54321 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "N/A" in=54321 out=0 categorySignificance=/Informational categoryBehavior=/Communicate/Response categoryDeviceGroup=/VPN catdt=Network-based IDS/IPS categoryOutcome=/Attempt categoryObject=/Host/Application/Service art=1672337570607 deviceSeverity=INFO act=Allowed rt=1672341169000 dvcpid=8001234 src=10.10.1.1 sourceZoneURI=/All Zones/ArcSight System/Public Address Space Zones/ARIN/155.0.0.0-10.1.1.1 (ARIN) suser=janedoe suid=janedoe@10.10.1.1 dhost=janedoepc-tx.example.com dst=10.10.12.1 destinationZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 destinationTranslatedAddress=10.10.13.2 destinationTranslatedZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dpt=443 destinationTranslatedPort=443 dpriv=N/A oldFileId=ProcessId: 8001234 deviceCustomDate1=1672341169000 cs1Label=Object cs2Label=Monitor cs3Label=Field cs4Label=Device cs6Label=Script deviceCustomDate1Label=End Time ahost=prdtxlvarccol29.associatesys.local agt=10.10.10.1 agentZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 amac=00-E5-D4-C3-A1-B2 av=10.1.1.15 atz=US/Central at=syslog dvchost=prdTXapASCVPN05 dvc=10.157.72.10 deviceZoneURI=/All Zones/ArcSight System/Private Address Space Zones/RFC1918: 10.0.0.0-10.255.255.255 dtz=CST geid=0 _cefVer=0.1 ad.pid1=0-PPE-7 ad.ActionMode=default ad.Nat__ip=10.10.11.2 ad.sourcePort=4438 ad.sourceAddress=10.10.1.1 ad.Compression__ratio__send=0.00% ad.Total__compressedbytes__recv=0 ad.session=123456 ad.Compression__ratio__recv=0.00% ad.Duration=00:00:00 ad.Total__compressedbytes__send=0 aid=3eSBmYnkBABCLcVYo6k0iUQ\=\= smb_host=abcd-123456 smb_stage1=1234337943124 smb_uid=abcdefoFbN1fMbNY3tDb8Zw1234331234567890 smb_timezone=EST {"additional":[{"label":"smb_host","value":"abcd-123456"},{"label":"smb_stage1","value":"1234337943124"},{"label":"smb_uid","value":"abcdefoFbN1fMbNY3tDb8Zw1234331234567890"},{"label":"smb_timezone","value":"EST"}]}

Sample Parsing

metadata.product_log_id = "1000000123"
metadata.event_type = "NETWORK_CONNECTION"
metadata.product_event_type = "SSLVPN TCPCONNSTAT"
metadata.description = "TCP Connection Information"
additional.fields["smb_timezone"] = "EST"
additional.fields["smb_host"] = "abcd-123456"
additional.fields["smb_stage1"] = "1234337943124"
additional.fields["smb_uid"] = "abcdefoFbN1fMbNY3tDb8Zw1234331234567890"
principal.user.userid = "janedoe"
principal.ip = "10.10.1.1"
principal.location.state = "Ontario"
principal.location.country_or_region = "Canada"
principal.location.region_latitude = 55.01222
principal.location.region_longitude = -90.483242
principal.nat_ip = "10.10.11.2"
principal.asset.ip = "10.10.1.1"
principal.ip_location.state = "Ontario"
principal.ip_location.country_or_region = "United States"
principal.ip_location.region_latitude = 55.01222
principal.ip_location.region_longitude = -90.483242
target.hostname = "janedoepc-tx.example.com"
target.user.userid = "janedoe"
target.process.pid = "8001234"
target.ip = "10.10.12.1"
target.ip = "10.10.13.2"
target.port = 443
target.asset.hostname = "janedoepc-tx.example.com"
target.asset.ip = "10.10.12.1"
target.asset.ip = "10.10.13.2"
intermediary.hostname = "prdtxlvarccol29.associatesys.local"
intermediary.ip = "10.10.10.1"
observer.hostname = "prdTXapASCVPN05"
observer.process.pid = "8001234"
security_result.category_details = "Network-based IDS/IPS"
security_result.summary = "TCP Connection Information"
security_result.description = "Context janedoe@10.10.1.1 - SessionId: 123456 - User janedoe - Client_ip 10.10.1.1 - Nat_ip 10.10.11.2 - Vserver 10.10.12.1:443 - Source 10.10.1.1:4438 - Destination 10.10.13.2:443 - Start_time "12/29/2022:13:12:49 " - End_time "12/29/2022:13:12:49 " - Duration 00:00:00  - Total_bytes_send 0 - Total_bytes_recv 54321 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - Access Allowed - Group(s) "N/A""
security_result.action = "ALLOW"
security_result.severity = "LOW"
security_result.severity_details = "Low"
security_result.action_details = "Attempt"
network.received_bytes = 54321
network.ip_protocol = "TCP"
network.session_id = "123456"

Parser Alerting

This product currently does not have any Parser-based Alerting

Rules

Coming Soon