Citrix Netscaler Web Logs

About

Citrix Netscaler Web Logs are generated by Citrix ADC, which is "..the most comprehensive application delivery and load balancing solution for small and medium-size businesses. Which means you can deliver a better user experience, on any device—anywhere."

Product Details

Vendor URL: Citrix ADC

Product Type: Web Proxy

Product Tier: Tier II

Integration Method: Syslog

Log Guide: Configuring Web Logs

Parser Details

Log Format: W3C

Expected Normalization Rate: near 100%

Data Label: CITRIX_NETSCALER_WEB_LOGS

UDM Fields (list of all UDM fields leveraged in the Parser):

Log File Field	UDM Field
"Citrix Netscaler Web"	metadata.product_name
"Citrix"	metadata.vendor_name
"NETWORK_CONNECTION"	metadata.event_type
bytes_received	network.received_bytes
bytes_sent	network.sent_bytes
local_ip	target.ip
local_port	target.port
method	network.http.method
referer	network.http.referral_url
remote_ip	principal.ip
status	network.http.response_code
url_path_requested	target.url
user_agent	"network.http.user_agent

Product Event Types

Event	UDM Event Classification
All	NETWORK_CONNECTION

Log Samples

2021-11-19 13:31:56 10.10.10.1 - HTTP 10.1.2.3 443 POST /autodiscover/autodiscover.xml - 200 818 1033 0 HTTP/1.1 "AppleExchangeWebServices/818.0.1 accountsd/113" "X-BackEndCookie=S-1-5-21-redacted" "-" "-" 0 10434 - -�

Sample Parsing

metadata.event_timestamp = "2021-11-19T17:21:34Z"
metadata.event_type = "NETWORK_CONNECTION"
metadata.vendor_name = "Citrix"
metadata.product_name = "Citrix Netscaler Web"
principal.ip = "10.1.2.3"
principal.asset.ip = "10.1.2.3"
target.ip = "10.2.3.4"
target.port = 443
target.url = "/autodiscover/autodiscover.xml"
target.asset.ip = "10.2.3.4"
network.sent_bytes = "1033"
network.received_bytes = "818"
network.http.method = "POST"
network.http.referral_url = "-"
network.http.user_agent = "AppleExchangeWebServices/818.0.1 accountsd/113"
network.http.response_code = 200

Parser Alerting

This product currently does not have any Parser-based Alerting