To ensure our security, we live in our house well-guarded by the guards sitting at the entrance of the society or apartments we reside in. The guard sitting at the entrance keeps a log of the people coming in or going out to know who is who and what’s the purpose of their visit. The reason behind this is to ensure security of the people living in the residential area and to audit information in form of logs collected to avoid breach of security.
Similarly our network needs to audit who is sending the data and what is the content. Any customer would like to know who all are accessing their services and if at all they should be allowed to do so or not.
In this age of colossal internet growth, customers need a way to log data selectively because there are multiple gigabits of data passing over any network per second and it’s redundant to log everything and anything.
To meet the need of selectively logging what customer is looking for we have introduced Policy based logging as new feature which can be used along with advanced policy infrastructure in NetScaler.
You need to configure audit message actions and these actions can be invoked from Responder and Rewrite policies which can look through Layer 2 to Layer 7 information flowing through NetScaler in runtime.
You can configure audit message actions to customize the format of the audit messages at various log levels with the following command.
> add audit messageaction log_action1 CRITICAL ‘”Client: “+CLIENT.IP.SRC+” accessed “+HTTP.REQ.URL’ -bypassSafetyCheck YES
This audit message action sets the log level as CRITICAL. It appends the string “Client: ” with the client source IP address with ” accessed ” string appended again with URL of the incoming request. For example, when a request, www.abc.com/secure/password.html is coming from a client with 10.120.36.4 as the source IP address, the log message will be as follows:
Client: 10.120.36.4 accessed /secure/password.html
This action will be bound to a responder or a rewrite policy as follows:
> add responder policy check_url “HTTP.REQ.URL.CONTAINS(\”secure\”)” RESET -logAction log_action1
With this policy any request which comes to access “secure” directory location will get reset from NetScaler and a log will be saved with respect to the log_action1 message format. Based on this log action we will know which client IP tried accessing which URL.
This feature gives the power in your hand to define:
– When to log, through policy expression
– What to log, through action configured
– Selectively log only data you are interested in, than logging the whole request, based on the message actions.
Happy logging !!