Collect NetScaler logs

Supported in:

This document describes how you can collect the NetScaler logs by using a Google Security Operations forwarder.

For more information, see Data ingestion to Google Security Operations overview.

An ingestion label identifies the parser which normalizes raw log data to structured UDM format. The information in this document applies to the parser with the CITRIX_NETSCALER ingestion label.

Configure NetScaler VPX

To configure the NetScaler VPX to send logs to the Google Security Operations forwarder, do the following:

Verify hostname configuration

  1. Sign in to the NetScaler web interface using administrator credentials.
  2. Select Configuration > Settings.
  3. Click Host name, DNS IP address, and Time zone.
  4. If the Host name field is empty, enter the hostname. Don't include spaces. If this field is already configured, then no action is required.
  5. In the DNS IP address field, verify if the local DNS IP address is specified.
  6. In the Time zone field, enter your time zone.

Create auditing server

  1. In the NetScaler web interface, select Configuration > System > Auditing > Syslog > Servers.
  2. Specify the syslog details in the following fields:
    • Name
    • Server type
    • IP address
    • Port
  3. Select Log levels as Custom.
  4. Select all checkboxes except DEBUG level in the configuration.
  5. In the Log facility list, select LOCAL0.
  6. In the Date format list, select MMDDYYYY.
  7. Select Time zone as GMT.
  8. Clear the following checkboxes:
    • TCP logging
    • ACL logging
    • User configurable log messages
    • AppFlow logging
    • Large scale NAT logging
    • ALG messages logging
    • Subscriber logging
    • DNS
    • SSL interception
    • URL filtering
    • Content inspection logging
  9. Click Ok to create the auditing server.

Bind the created audit policy to the server

  1. In the NetScaler web interface, select Configuration > System > Auditing > Syslog.
  2. Click Policies tab.
  3. In the Name field, enter a name for the policy.
  4. In the Server list, select the policy from the previous section.
  5. Click Create.
  6. Right-click the created auditing policy and select Action > Global bindings.
  7. Click Add binding.
  8. In the Policy binding window, do the following:
    1. In the Select policy field, enter the created audit policy.
    2. In the Binding details pane, in the Priority field, enter 120 as it is the default priority.
    3. Click Bind.

Configure NetScaler SDX

To configure the NetScaler SDX to send logs to the Google Security Operations forwarder, do the following:

Verify hostname configuration for NetScaler SDX

  1. Sign in to the NetScaler web interface using administrator credentials.
  2. In the NetScaler web interface, select System > System settings.
  3. If the Host name field is empty, enter the hostname. Don't include spaces. If this field is already configured, then no action is required.
  4. In the Time zone field, select UTC or GMT.

Configure the syslog server

  1. In the NetScaler web interface, select System > Notifications > Syslog servers.
  2. In the Details pane, click Add.
  3. In the Create syslog server window, specify values for the following syslog server parameters:
    1. In the Name field, enter a name.
    2. In the IP address field, enter the Google Security Operations forwarder IP address.
    3. In the Port field, port number.
    4. Select Log levels as Custom.
    5. Select all log levels except Debug.
  4. Click Create.

Configure the syslog parameters

  1. In the NetScaler web interface, select System > Notifications > Syslog servers.
  2. In the Details pane, click Syslog parameters.
  3. In the Configure syslog parameters page, select Date format as MMDDYYYY and select Time zone as GMT.
  4. Click Ok.

Configure the Google Security Operations forwarder to ingest NetScaler logs

  1. Select SIEM Settings > Forwarders.
  2. Click Add new forwarder.
  3. In the Forwarder name field, enter a unique name for the forwarder.
  4. Click Submit and then click Confirm. The forwarder is added and the Add collector configuration window appears.
  5. In the Collector name field, type a unique name for the collector.
  6. Select Citrix NetScaler as the Log type.
  7. In the Collector type field, select Syslog.
  8. Configure the following mandatory input parameters:
    • Protocol: specify the connection protocol that the collector uses to listen to syslog data.
    • Address: specify the target IP address or hostname where the collector resides and listens to syslog data.
    • Port: specify the target port where the collector resides and listens to syslog data.
  9. Click Submit.

For more information about the Google Security Operations forwarders, see Manage forwarder configurations through the Google Security Operations UI.

If you encounter issues when you create forwarders, contact Google Security Operations support.

Field mapping reference

This parser processes Citrix Netscaler SYSLOG logs in key-value format, extracting JSON-formatted data from the message field and enriching the UDM with information from other fields like host.hostname and user_agent.original after sanitizing them. It handles cases where the primary message is empty by falling back to the original log message.

UDM mapping table

Log Field UDM Mapping Logic
AAA trans id security_result.detection_fields[].value Value extracted from "AAA trans id" field.
Access security_result.action_details If "Access" is "Allowed", set security_result.action to ALLOW. If "Access" is "Denied", set security_result.action to BLOCK.
applicationName principal.application Value extracted from "applicationName" field.
Browser_type network.http.user_agent Value extracted from "Browser_type" field.
ClientIP principal.ip, principal.asset.ip Value extracted from "ClientIP" field.
ClientPort principal.port Value extracted from "ClientPort" field.
client_cookie additional.fields[].value.string_value Value extracted from "client_cookie" field.
Command target.process.command_line Value extracted from "Command" field.
connectionId security_result.detection_fields[].value Value extracted from "connectionId" field.
Destination target.ip, target.asset.ip Value extracted from "Destination" field.
Destination target.ip, target.asset.ip Value extracted from "Destination" field.
device_serial_number target.asset_id target.asset_id is set to "device_serial_number:".
Duration network.session_duration.seconds Duration is converted to seconds and mapped.
End Time security_result.detection_fields[].value Value extracted from "End Time" field.
Failure_reason metadata.description Value extracted from "Failure_reason" field.
flags additional.fields[].value.string_value Value extracted from "flags" field.
Group(s) target.group.group_display_name Value extracted from "Group(s)" field.
Reason metadata.description Value extracted from "Reason" field.
Remote_ip target.ip, target.asset.ip Value extracted from "Remote_ip" field.
ServerIP target.ip, target.asset.ip Value extracted from "ServerIP" field.
ServerPort target.port Value extracted from "ServerPort" field.
session_guid metadata.product_log_id Value extracted from "session_guid" field.
SessionId network.session_id Value extracted from "SessionId" field.
Source principal.ip, principal.asset.ip Value extracted from "Source" field.
Start Time security_result.detection_fields[].value Value extracted from "Start Time" field.
startTime security_result.detection_fields[].value Value extracted from "startTime" field.
Status security_result.description Value extracted from "Status" field.
Total_bytes_recv network.received_bytes Value extracted from "Total_bytes_recv" field.
Total_bytes_send network.sent_bytes Value extracted from "Total_bytes_send" field.
Total_bytes_wire_recv security_result.detection_fields[].value Value extracted from "Total_bytes_wire_recv" field.
Total_bytes_wire_send security_result.detection_fields[].value Value extracted from "Total_bytes_wire_send" field.
User principal.user.userid Value extracted from "User" field.
VserverServiceIP target.ip, target.asset.ip Value extracted from "VserverServiceIP" field.
VserverServicePort target.port Value extracted from "VserverServicePort" field. Hardcoded to "CITRIX". Hardcoded to "NETSCALER". Hardcoded to "CITRIX_NETSCALER". Determined by the parser based on the product_event_type. Examples: NETWORK_CONNECTION, USER_LOGIN, USER_LOGOUT, USER_STATS, STATUS_UPDATE, USER_UNCATEGORIZED, GENERIC_EVENT. Value extracted from the log prefix (e.g., CONN_DELINK, CONN_TERMINATE, OTHERCONN_DELINK, etc.). A short description of the event, sometimes derived from other fields like "Reason" or "Failure_reason". Calculated from the date and time fields in the log entry. The parser handles various formats and timezones. Extracted from the "username:domainname" field, taking the part after the colon. Hardcoded to TCP for events with "TCP" in metadata.product_event_type. Set to ALLOW for successful logins and commands, BLOCK for failed logins and blocked resource access. Derived from fields like "Status", "Failure_reason", and "Access". Set to USERNAME_PASSWORD when username and password are used for authentication (inferred from certain log messages). Set to VPN for VPN related login/logout events. Parsed from the network.http.user_agent field using a user-agent parsing library.

Changes

2024-05-21

  • Modified a Grok pattern to parse dropped logs.

2024-05-20

  • Added new Grok pattern to parse unparsed logs.

2024-05-08

  • Updated mapping of the duration information from "security_results" to "network.session_duration" .

2024-04-29

  • Added conditional check for "Browser_type" and mapped it to "network.http.parsed_user_agent".
  • Added conditional check for "userId" and "user_email".
  • Mapped "Browser" to "network.http.parsed_user_agent".

2024-02-23

  • Updated Grok pattern to parse hostname as expected in the UDM field.

2024-01-25

  • Added Grok patterns to parse logs where "message_type" is "Message", "NONHTTP_RESOURCEACCESS_DENIED", "UDPFLOWSTAT", and "EXTRACTED_GROUPS".
  • Added support to parse logs where "feature" is "GUI" and "EVENT".
  • Mapped "principal_port" to "principal.port".
  • Mapped "ClientIP" to "principal.asset.ip".
  • Mapped "principal_ip" to "principal.ip" and "principal.asset.ip".
  • Mapped "target_ip" to "target.ip" and "target.asset.ip".
  • Mapped "target_port" to "target.port".
  • Mapped "description" to "metadata.description".
  • Mapped "type", "aaa_trans_id", "pcb_trans_id", "pcb_state", "pcb_label", "trans_id", "authPolicyLen", "login_attempts", "PromptLen", "partitionLen", "cmdPolicyLen", and "ssh_pubkey_len" to "security_result.detection_fields".
  • Mapped "principal_hostname" to "principal.hostname" and "principal.asset.hostname".
  • Mapped "hostname" to "intermediary.asset.hostname".
  • Mapped "hostname" to "observer.asset.hostname".
  • Mapped "cip", "ServerIP", "VIP", "VserverServiceIP", and "Remote_ip" to "target.asset.ip".
  • When "message_type" is "Message", then mapped "User" to "principal.user.userid".
  • When "principal_ip" and "target_ip" is present, then set "metadata.event_type" to "NETWORK_CONNECTION".
  • When "Client_ip" and "target_ip" is present, then set "metadata.event_type" to "NETWORK_CONNECTION".
  • When "message_type" is "NONHTTP_RESOURCEACCESS_DENIED" and "UDPFLOWSTAT", then set "metadata.event_type" to "USER_STATS".
  • When "message_type" is "Message" and "User" is present, then set "metadata.event_type" to "USER_UNCATEGORIZED".
  • When "principal_ip" is present, then set "metadata.event_type" to "STATUS_UPDATE".

2023-11-26

  • Enhancement-
  • Added Grok patterns to parse logs where "message_type" is "Message".

2023-07-21

  • Enhancement - Updated the parser to correctly parse the logs containing feature - 'CLI'.

2022-09-26

  • Enhancement - Migrated custom parsers to default parser.

2022-06-09

  • Enhancement- Added requested mappings:
  • Mapped 'startTime', 'endTime', 'Duration' to 'security_result.detection_fields'.
  • Updated the parser to parse the logs containing message_type - 'CHANNEL_UPDATE', 'NETWORK_UPDATE', 'AAATM Message'.

2022-05-09

  • Bug-fix - Updated the parser to correctly parse the logs containing message_type - 'TCPCONNSTAT'.
  • Updated the grok to include the full domain name in 'principal.administrative_domain'.
  • Parsed the logs failing during Validation API testing.

2022-04-27

  • Enhancement- Added requested mappings
  • Mapped intermediary.hostname field
  • Parsed Api failed logs