Syslog Auditing

Auditing is a methodical examination or review of a condition or situation. The Audit Logging feature enables you to log the Citrix® NetScaler® states and status information collected by various modules in the kernel and in the user-level daemons. For audit logging, you have the options to configure SYSLOG, the native NSLOG protocol, or both. When you run NSLOG or a SYSLOG server, it connects to the netScaler appliance. The NetScaler appliance then starts sending all the log information to the SYSLOG or NSLOG server, and the server can filter the log entries before storing them in a log file. An NSLOG or SYSLOG server can receive log information from more than one NetScaler appliance and a NetScaler appliance can send log information to more than one SYSLOG server or NSLOG server.

The log information that a SYSLOG or NSLOG server collects from a NetScaler appliance is stored in a log file in the form of messages. These messages typically contain the following information:

  • The IP address of a NetScaler appliance that generated the log message
  • A time stamp
  • The message type
  • The predefined log levels (Critical, Error, Notice, Warning, Informational, Debug, Alert, and Emergency)
  • The message information

Syslog Messages from NetScaler Load Balancer

Feature Message Category Description Message
AAA LOGIN_FAILED ALERT When the aaa module failed to login the user.The reason for failure is indicated in the message “User%s-Client_ip%s-Failure_reason\”%s\””
UI CMD_EXECUTED INFO Logs the NSCLI/GUI command executed in NetScaler “User%s-Remote_ip%s-Command\”%s\”-“”Status\”%s\””
SSLVPN LOGIN INFO SSLVPN login succeeds “User%s-Client_ip%s-“”Nat_ip%s-Vserver%s:%d-Browser_type\”%s\”-SSLVPN_client_type%s-Group(s)\”%s\””
SSLVPN LOGOUT INFO SSLVPN session logs out.Logout method is captured in the message “User%s-“”Client_ip%s-Nat_ip%s-“”Vserver%s:%d-“”Start_time\”%s\”End_time\”%s\”-Duration%s“”Http_resources_accessed%s-NonHttp_services_accessed%s-“”Total_TCP_connections%d-Total_UDP_flows%d-“”Total_policies_allowed%d-Total_policies_denied%d-“”Total_bytes_send%s-Total_bytes_recv%s-“”Total_compressedbytes_send%s-Total_compressedbytes_recv%s-“”Compression_ratio_send%d.%02u%%“”Compression_ratio_recv%d.%02u%%“”LogoutMethod\”%s\”-Group(s)\”%s\””
SSLVPN TCPCONNSTAT INFO Logs the TCP connection related information for a connection belonging to a SSLVPN session “User%s-Client_ip%s-Nat_ip%s-Vserver%s:%d-“”Source%s:%d-Destination%s:%d-Start_time\”%s\”End_time\”%s\”“”Duration%s-Total_bytes_send%d-Total_bytes_recv%d-“”Total_compressedbytes_send%d-Total_compressedbytes_recv%d-“”Compression_ratio_send%d.%02u%%-Compression_ratio_recv%d.%02u%%-Access%s-Group(s)\”%s\””
SSLVPN TCPCONN_TIMEDOUT INFO An SSLVPN connection timed out.The information about the connection start and end time the amount of data transferred and received are present in the message date “User%s-Client_ip%s-“”Nat_ip%s-Vserver%s:%d-Last_contact\”%s\”-Group(s)\”%s\””
SSLVPN UDPFLOWSTAT INFO When a UDP flow , within a SSLVPN session, terminates “User%s-Client_ip%s-“”Nat_ip%s-Vserver%s:%d-Source%s:%d-“”Destination%s:%d-Start_time\”%s\”End_time\”%s\”“”Duration%s-Total_bytes_send%d-“”Total_bytes_recv%d-Access%s-Group(s)\”%s\””
SSLVPN HTTPREQUEST INFO A SSLVPN session receives a HTTP request “%sUser%s:Group(s)%s:%s%s%s%s%s”
SSLVPN NONHTTP_RESOURCEACCESS_DENIED ALERT A non-http resource access is denied by policy engine. The denied policy name is captured in the log message. “User%s-Client_ip%s-Nat_ip%s-“”Vserver%s:%d-Source%s:%d-Destination%s:%d-“”Total_bytes_send%d-Total_bytes_recv%d-Denied_by_policy\”%s\”-Group(s)\”%s\””
SSLVPN HTTP_RESOURCEACCESS_DENIED ALERT A http resource access is denied by policy engine. The denied policy name is captured in the log message. “User%s-Total_bytes_send%d-Remote_host%s-“”Denied_url%s-Denied_by_policy\”%s\”-Group(s)\”%s\””
SSLVPN LICLMT_REACHED INFO SSLVPN license limit reached “Vserver%s:%d-License_limit%d”
SSLVPN CLISEC_CHECK ERROR Logs with severity ERROR when client security check for a SSLVPN session fails, otherwise logs with severity DEBUG “User%s-ClientIP%s-Vserver%s:%d-Client_security_expression\”%s\”-“
SSLVPN CLISEC_EXP_EVAL ERROR Logs with severity ERROR when client security expression evaluates to False, otherwise logs with severity DEBUG “User%s:ClientIP%s-Vserver%s:%d“”Clientsecurityexpression%sevaluatedto%s(%d)”
SSLVPN AAAEXTRACTED_GROUPS INFO After a user logs into SSLVPN and the group for the user has been extracted “Extracted_groups\”%s\””
EVENT ALERTSTARTED ALERT When SNMP module starts an alarm (usually when the value of a monitored attribute crosses the threshold value “%s”
EVENT ALERTENDED ALERT When SNMP module stops an alarm (usually when the value of a monitored attribute returns to normal state) “%s”
EVENT STARTSYS INFO When NetScaler starts “%s”
EVENT STARTCPU INFO When a particular CPU starts “%s”
EVENT DEVICEDOWN NOTICE Whenever a device is down “%s”
EVENT DEVICEOFS NOTICE Whenever a device is out of service “%s”
EVENT DEVICEUP NOTICE Whenever a device is up “%s”
EVENT NICSTART NOTICE When the network interface is started “%s”
EVENT NICSTOP NOTICE When the network interface is stopped “%s”
EVENT NICHANG NOTICE When the network interface is in hung state “%s”
EVENT NICRESET NOTICE When the network interface is reset “%s”
EVENT NICMIGRATE NOTICE When an interface is bound or unbound from a channel “%s”
EVENT STOPSYS INFO When the NetScaler system is stopped “%s”
EVENT FREEBADMEM EMERGENCY When bad memory is freed (internal error) “%s”
EVENT FREEDUPMEM EMERGENCY When duplicate memory free occurs (internal error) “%s”
EVENT FREEEXTMEM EMERGENCY when memory is freed from a wrong pool (internal error) “%s”
EVENT PROPSUCCESS INFO When HA propagation is successful “%s”
EVENT PROPFAIL ALERT When HA propagation fails “%s”
EVENT STATECHANGE 0 HA State has changed.The string along with the message gives more information “%s”
EVENT CACHESTARTFLUSH INFO When cache flush starts “%s”
EVENT CACHESTOPFLUSH INFO When cache flush is complete “%s”
EVENT MONITORTH INFO The monitor bound to the service has hit threshold limit “%s”
EVENT MONITORDOWN INFO The monitor bound to the service is down. “%s”
EVENT MONITORUP INFO The monitor bound to the service is up. “%s”
EVENT STARTSAVECONFIG INFO When save configuration started “%s”
EVENT STOPSAVECONFIG INFO When save configuration has stopped “%s”
EVENT CONFIGSTART INFO When NetScaler starts to read the configuration from ns.conf file (during boot-up) “%s”
EVENT CONFIGEND INFO When NetScaler has completed reading the configuration from ns.conf file (during boot-up) “%s”
EVENT NICLACPSC NOTICE “%s”
EVENT NICLOW_THROUGHPUT NOTICE “%s”
EVENT NICNORMAL_THROUGHPUT NOTICE “%s”
EVENT UNKNOWN DEBUG LACP (Link aggregation control protocol) related events “%s”
SSLLOG SSL_HANDSHAKE_FAILURE DEBUG SSL Handshake failed “ClientIP%s-ClientPort%d-“\”VserverServiceIP%s-VserverServicePort%d-“\”ClientVersion%s-CipherSuite\”%s\”-“\”Reason\”%s\””
SSLLOG SSL_HANDSHAKE_SUCCESS DEBUG SSL Handshake succeded “ClientIP%s-ClientPort%d-“\”VserverServiceIP%s-VserverServicePort%d-“\”ClientVersion%s-CipherSuite\”%s\”-“\”Session%s”
SSLLOG SSL_CERT_EXPIRY_IMMINENT NOTICE SSL Certificate is going to expire soon.The message indicates the date on which the SSL certificate will expire “CertificateKeyPair%s-DaysToExpire%u”
APPFW APPFW_STARTURL INFO AppFw StartURL violation “%s%sDisallowIllegalURL:%s%s”
APPFW APPFW_DENYURL INFO AppFw DenyURL violation “%s%sDisallowDenyURL:%s%s”
APPFW APPFW_XSS INFO AppFw XSS violation “%s%s%sCross-sitescriptcheckfailedfor%s=\”%s\”%s”
APPFW APPFW_SQL INFO AppFw SQL Injection violation “%s%s%sSQLKeywordcheckfailedfor%s=\”%s\”%s”
APPFW APPFW_COOKIE INFO AppFw Cookie violation “%s%s%sCookievalidationfailedfor%s%s”
APPFW APPFW_FIELDCONSISTENCY INFO AppFw Field Consistency violation “%s%s%sFieldconsistencycheckfailedforfield%s=\”%s\”%s”
APPFW APPFW_BUFFEROVERFLOW_URL INFO AppFw Buffer Overflow violation in URL “%s%sURLlength(%d)isgreaterthanmaximumallowed(%d):%s%s”
APPFW APPFW_BUFFEROVERFLOW_COOKIE INFO AppFw Buffer Overflow violation in Cookie “%s%sCookieheaderlength(%d)isgreaterthanmaximumallowed(%d):%s%s”
APPFW APPFW_BUFFEROVERFLOW_HDR INFO AppFw Buffer Overflow violation in HTTP Headers “%s%sHeader(%s)length(%d)isgreaterthanmaximumallowed(%d):%s%s”
APPFW APPFW_FIELDFORMAT INFO AppFw Field Format violation “%s%s%sFieldformatcheckfailedforfield%s=\”%s\”%s”
APPFW APPFW_SAFECOMMERCE INFO AppFw Safe Commerce violation “%s%s%sCreditCardinternalerror(%d) whilematching…takingprecautionaryaction%s”
APPFW APPFW_SAFECOMMERCE_XFORM INFO AppFw Safe Commerce violation detected and transformed “%s%s%sTransformed(xout)potentialcreditcardnumbersseeninserverresponse”
APPFW APPFW_SAFEOBJECT INFO AppFw Safe Object violation “%s%s%sSafeObjectinternalerror(%d)
whilematching…takingprecautionaryaction:%s%s”
APPFW AF_BIND_TO_PROFILE INFO Bind Appfw Profile “Profile:%s
APPFW AF_ADD_FIELDTYPE INFO Add an AppFw Field Type “FieldType:%s
APPFW AF_ADD_PROFILE INFO Add an AppFw profile “Profile:%s\n”
APPFW AF_RM_FIELDTYPE INFO Remove an Appfw Field Type “Fiepe:%s
APPFW AF_RM_PROFILE INFO Remove an AppFw profile “Profile:%s\n”
APPFW AF_ADD_CFFIELD INFO Add a confidential field “FieldName:%s
APPFW AF_RM_CFFIELD INFO Remove a confidential field “FieldName:%s
APPFW AF_400_RESP INFO AppFw Request error. Generated 400 Response “%s\”Unabletoparseheaders\””
APPFW AF_MEMORY_ERR INFO Memory allocateion request for %lu bytes failed “Memoryallocationrequestfor%
lubytesfailed.CallstackPCs:”
TCP CONN_DELINK INFO When a server side and a client side TCP connection is delinked.These are the connections which are being tracked by netscaler like HTTP “Source%s:%d-Vserver%s:%d-Nat%s:%d-“”Destination%s:%d-DelinkTime%s-Total_bytes_send%llu-“”Total_bytes_recv%llu”
TCP CONN_TERMINATE INFO When a TCP connection terminates.The logged data indicates the number of bytes transmitted and received over the connection and lso the connection start and end time “Source%s:%d-Destination%s:%d-“”StartTime%s-EndTime%s-Total_bytes_send%llu-“”Total_bytes_recv%llu”
TCP OTHERCONN_DELINK INFO When a server side and a client side TCP connection is delinked.These are the connections which are not being tracked by netscaler like FTP,telnet etc “Source%s:%d-Vserver%s:%d-Nat%s:%d-“”Destination%s:%d-DelinkTime%s-“”Total_bytes_send%u-Total_bytes_recv%u”
ROUTING ZEBOS_CMD_EXECUTED INFO User has executed a command in ZebOS(vtysh) “%s”
ROUTING PAL VARIABLE
PITBOSS PITBOSS INFO Pitboss watch is added on a process with the process id pid Adding pitboss watch on (%d)
PITBOSS PITBOSS INFO Pitboss watch is deleted on a process with the process id pid Deleting watch on (%d)
PITBOSS PB_SYSTEM_RESTART ALERT Process with pid has reached maximum number of restarts.Therefore the systemis being restarted proc (%d) (%s) has had its maximum number of restarts (%d), rebooting the system
PITBOSS PB_PROCESS_RESTART ALERT Process with pid is being restarted.The message indicates the number of times the process has been restarted Restarting process old pid (%d) action (%s)
ROUTING ROUTE_ADVERTISED INFO Route Advertised ROUTE (%s %s %s) – ADVERTISED
ROUTING ROUTE_WITHDRAWN INFO Route Withdrawn ROUTE (%s %s %s) – WITHDRAWN
ROUTING ROUTE_RELEARN Route Relearnt RELEARN (0x%x)
ROUTING ROUTE_HASTATE INFO HA state change HASTATE (0x%x)
CVPN CVPN_INPUT_URL DEBUG The input URL before rewriting HTML_URL %s
CVPN CVPN_REWRITTEN_URL DEBUG The rewritten url REWRITTEN_URL %.*s
CVPN CVPN_PCRE_ERROR DEBUG PCRE Error Regex %.*s : PCRE_ERROR %d
CVPN CVPN_MATCHED_URL DEBUG The matched url MATCHED_URL %.*s

Read more about logging here

Download Citrix NetScaler here

The Citrix Community is powerful!