Citrix Netscaler Application Delivery Controller (PREVIEW)

Citrix Netscaler Application Delivery Controller (ADC) helps optimize and secure network traffic for web applications and monitor Citrix Netscaler for suspicious activity like DDoS attacks by correlating data with other sources in LogScale.

This integration supports parsing the Web Application Firewall (WAF) logs as well as other logs such as audit logs.

This package provides a preview parser for Citrix Netscaler Application Delivery Controller data. The parser normalizes data to a common schema based on an OpenTelemetry standard. This schema allows you to search the data without knowing the data specifically, and just knowing the common schema instead. It also allows you to combine the data more easily with other data sources which conform to the same schema.

See the following sections for more information:

Preview Status

Note that this package is considered a PREVIEW. This means we are seeking feedback on the package, and may make breaking changes to the parsers in the future. It means also it may not include all documentation which usually we publish for packages.

Installing the Package in LogScale

Find the repository where you want to send the Citrix Netscaler events, or Creating a Repository or View.

  1. Navigate to your repository in the LogScale interface, click Settings and then Packages on the left.

  2. Click Marketplace and install the LogScale package for Citrix Netscaler (i.e. citrix/netscaler).

  3. When the package has finished installing, click Ingest tokens on the left (still under the Settings.

  4. In the right panel, click + Add Token to create a new token. Give the token an appropriate name (e.g.the name of the server the name of the server the token is ingesting logs for), and leave the parser unassigned, you can assign the parser to the LogScale Collector Configuration as described in the documentation Sources & Examples.

    Ingest Token

    Figure 19. Ingest Token

    Before leaving this page, view the ingest token and copy it to your clipboard — to save it temporarily elsewhere.

    Now that you have a repository set up in LogScale along with an ingest token you're ready to send logs to LogScale.

Configurations and Sending the Logs to LogScale

Before starting you need to configure Citrix Netscaler to send logs to the syslog server.

Follow these steps in the Netscaler documentation to configure audit logging and then the following documentation for syslog over TCP.

We recommend segregating the Citrix Netscaler Web Application Firewall (WAF) events from the other logs. Step by step instructions on how to do this can be found in vendor documentation. Additionally the WAF events should support the CEF format. To enable CEF-formatted logs navigate to the Netscaler GUI and follow these instructions.

Refer to application firewall log for detailed information about the Citrix Netscaler WAF CEF log messages.

Follow these steps to send the Application Firewall messages to a separate syslog server.

Next, configure the Falcon LogScale Collector to ship the logs from your syslog server into LogScale. Follow LogScale Collector Installing the LogScale Collector and Configuring LogScale Collector. LogScale Collector documentation also provides an example of how you can configure your syslog datasource, see Sources & Examples.

Verify Data is Arriving in LogScale

Once you have completed the above steps the Citrix Netscaler data should be arriving in your LogScale repository.

You can verify this by doing a simple search for #logtype = "citrix" | Product="netscaler" to see the events.

Package Contents Explained

This package contains the following parsers:

  • citrix-netscaler-waf-cef - a parser for Citrix Netscaler Web Application Firewall (WAF) events sent in the CEF format. Sample logs can be found here.

  • citrix-netscaler-syslog - a parser for Citrix Netscaler logs (for example audit logs) in the syslog format.

These parsers normalizes the data to a subset of this schema based on OpenTelemetry standards, while still preserving the original data.

If you want to search using the original field names and values, you can access those in the fields whose names are prefixed with the word "Vendor". Fields which are not prefixed with "Vendor" are standard fields which are either based on the schema (e.g. source.ip) or on LogScale conventions (e.g. @rawstring).

The fields which the parser currently maps the data to, are chosen based on what seems the most relevant, and will potentially be expanded in the future. But the parser won't necessarily normalize every field that has potential to be normalized.

Event Categorisation

As part of the schema, events are categorized by four different fields:

  • event.category

  • event.type

  • event.kind

event.kind can be searched as a normal field, but event.category and event.type are arrays, so need to be searched like so:

array:contains("event.category[]", value="network")

This will find events where some event.category[n] field contains the value network, regardless of what n is.

Note that not all events will be categorized to this level of detail.

Normalized Fields

Here are some of the normalized fields which are being set by this parser:

  • destination.* (e.g. source.ip)

  • source.* (e.g. source.domain)

  • related.* (e.g. related.ip)

Next Steps and Use Cases

You can get actionable insights from your Citrix Netscaler data by hunting for suspicious activity in LogScale using the Searching Data, Dashboards & Widgets or Automation & Alerts.