This quick start guide will help Accenture Security customers configure Citrix® NetScaler to send logs to the Log Collection Platform (LCP).
This document includes the following topics:
A list of supported versions is available in the Accenture Security Supported Products List document (Accenture_MSS_Supported_Products_List.xlsx) which can be found at
Accenture Portal - https://mss.accenture.com/PortalNextGen/Reports/Documents
To configure the Citrix NetScaler to send logs to the LCP, follow the steps below.
Verify if the hostname is configured.
Login to the NetScaler Web interface as an Administrator.
Go to the Configuration tab and click the Settings icon at the top-right corner.
Click Host Name, DNS IP Address, and Time Zone and type the following.
In the Host Name text box, verify if the host name is present.
If the host name is configured already, no action is required.
If the text box is empty, type a host name without space.
In the DNS IP Address text box, verify if the local DNS IP address is added.
In the Time Zone text box, type your time zone.
Configure the Syslog server action.
Login to the NetScaler Web interface as an Adminstrator.
Go to Configuration > System > Auditing > Syslog > Servers.
Click Add and do the following in the Create Auditing Server window.
In the Name* text box, type a name for the LCP.
In the IP Address* text box, type the IP address of the LCP.
In the Port text box, type
In the Log levels section, click CUSTOM and check the INFORMATIONAL check box.
From the Log Facility* drop-down list, select LOCAL 0.
From the Date Format* drop-down list, select MMDDYY.
Note: MSS Citrix NetScaler Supported date format is MMDDYY.
In the Time Zone section, click GMT.
Check the following check boxes and then click Create.
User configurable Log Messages
Binding the created audit policy to the server.
Go to Configuration > System > Auditing > Syslog and click the Policies tab.
In the Name* text box, type a name for the policy.
In the Server* drop-down list, select the policy from the previous section and click Create.
Right-click the created Auditing Policy and go to Action > Global Bindings and click Add Binding.
In the Select Policy* text box, type the created audit policy.
In the Binding Details section, in the Priority* text box, type
120 as it is the default priority and click Bind.
Note: Priority is a numeric value that indicates when this policy is evaluated relative to other policies. Access Gateway gives precedence to a policy with lower priority.
Table 1-2: The Citrix NetScaler event collector properties to be configured by MSS are shown in the table.
|Protocol||UDP||The default protocol for syslog. The collector can also accept logs in TCP.
Note: While TCP offers guaranteed delivery of log packets, it places a larger overhead on the LCP.
To balance TCP for reliability over UDP for speed/simplicity, contact the Accenture Security MSS onboarding team
The default port for UDP. For TCP, the default port is 601.
Note: The LCP can be configured to listen on a non-standard port. Please advise the Accenture Security MSS onboarding team if this is a requirement.
|IP Address||Citrix NetScaler IP Address||
Logging device IP address mentioned in the Pre-Installation Questionnaire (PIQ).
Note: If the device sends logs using multiple interfaces, contact the Accenture Security MSS onboarding team.
|Signatures||AAA LOGIN_FAILED, AAA EXTRACTED_GROUPS, UI CMD_EXECUTED, SSLVPN LOGIN, SSLVPN LOGOUT
SSLVPN ICASTART, SSLVPN ICAEND_CONNSTAT, SSLVPN TCPCONNSTAT, SSLVPN TCPCONN_TIMEDOUT
SSLVPN UDPFLOWSTAT, SSLVPN HTTPREQUEST, SSLVPN NONHTTP_RESOURCEACCESS_DENIED
SSLVPN HTTP_RESOURCEACCESS_DENIED, SSLVPN CLISEC_CHECK, SSLVPN CLISEC_EXP_EVALEVENT DEVICEUP
EVENT DEVICEDOWN, SNMP TRAP_SENT, EVENT MONITORUP, EVENT MONITORDOWN, APPFW APPFW_STARTURL, APPFW APPFW_DENYURL
APPFW APPFW_COOKIE, APPFW APPFW_BUFFEROVERFLOW_COOKIE, APPFW APPFW_BUFFEROVERFLOW_URL
APPFW APPFW_BUFFEROVERFLOW_HDR, APPFW APPFW_SAFECOMMERCE, APPFW APPFW_SAFEOBJECT, APPFW APPFW_FIELDCONSISTENCY
APPFW APPFW_FIELDFORMAT, APPFW APPFW_CSRF_TAG, APPFW APPFW_XSS, APPFW APPFW_SQL
APPFW APPFW_XML_ERR_NOT_WELLFORMED, APPFW APPFW_XML_DOS_ERR_MAX_NAMESPACES, APPFW APPFW_XML_XSS
APPFW APPFW_XML_SQL, APPFW AF_400_RESP, APPFW APPFW_POLICY_HIT, APPFW APPFW_POLICY_HIT_BUILTIN, APPFW APPFW_SIGNATURE_MATCH
APPFW APPFW_XML_VALIDATION_ERR_INVALID_ELEMENT APPFW APPFW_XML_WSI_ERR_BODY_ENV_NAMESPACE
APPFW APPFW_FIELDFORMAT, APPFW APPFW_REFERER_HEADER, APPFW AF_MALFORMED_REQ_ERR
APPFW_RESP APPFW_XML_ERR_NOT_WELLFORMED, GUI CMD_EXECUTED, CLI CMD_EXECUTED, EVENT
STARTSAVECONFIG, EVENT STOPSAVECONFIG
|MSS recommended signatures processed by the Citrix NetScaler event collector.|
Copyright © 2020 Accenture. All rights reserved.
Accenture, the Accenture Logo, and DeepSight Intelligence are trademarks or registered trademarks of Accenture in the U.S. and other countries. Other names may be trademarks of their respective owners.
The product described in this document is distributed under licenses restricting its use, copying, distribution, and decompilation/reverse engineering. No part of this document may be reproduced in any form by any means without prior written authorization of Accenture and its licensors, if any.
THE DOCUMENTATION IS PROVIDED "AS IS" AND ALL EXPRESS OR IMPLIED CONDITIONS, REPRESENTATIONS AND WARRANTIES, INCLUDING ANY IMPLIED WARRANTY OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE OR NON-INFRINGEMENT, ARE DISCLAIMED, EXCEPT TO THE EXTENT THAT SUCH DISCLAIMERS ARE HELD TO BE LEGALLY INVALID. ACCENTURE SHALL NOT BE LIABLE FOR INCIDENTAL OR CONSEQUENTIAL DAMAGES IN CONNECTION WITH THE FURNISHING, PERFORMANCE, OR USE OF THIS DOCUMENTATION. THE INFORMATION CONTAINED IN THIS DOCUMENTATION IS SUBJECT TO CHANGE WITHOUT NOTICE.
The Licensed Software and Documentation are deemed to be commercial computer software as defined in FAR 12.212 and subject to restricted rights as defined in FAR Section 52.227-19 "Commercial Computer Software - Restricted Rights" and DFARS 227.7202, et seq. "Commercial Computer Software and Commercial Computer Software Documentation," as applicable, and any successor regulations, whether delivered by Accenture as on premises or hosted services. Any use, modification, reproduction release, performance, display or disclosure of the Licensed Software and Documentation by the U.S. Government shall be solely in accordance with the terms of this Agreement.