We always have some cool engineers that want to make sure we have as much info out there to help with installs.  It is no difference with getting Splunk to work with NetScaler Application Firewall (AppFW).   So here are the details that are actually posted in the Citrix internal Knowledge Base (KB) CTX132533 for Citrix Sales/SEs, but some have asked to also put the details in our blogs for easy access – hence, here it is (authored by Iryna Novosyolova).

Splunk installation:

  1. Get installation package from http://www.splunk.com/download?r=/product
  2. Install Splunk following installation wizard steps.
  3. Get Splunk for Netscaler application there: http://splunk-base.splunk.com/apps/22345/splunk-for-citrix-netscaler-with-appflow
  4. Log in to Splunk.
  5. Navigate to App -> Manage Apps

6.  Install application from file

7.  Upload the application from tgz file

8.  Navigate to <SPLUNK DIRECTORY>\etc\apps\SplunkforCitrixNetScaler\default. Modify inputs.conf fow Windows

9.  Navigate to NS GUI System -> Auditing -> Policies. Add new policy. In the Create Auditing Policy window, provide a name for the policy and create new server. Provide an IP of the server where Splunk is installed and port 514 (Splunk should listen on this port). Confirm creating the server and the policy. Bind it globally.

10.  Configure Application Firewall on Netscaler.

11.  Navigate to Splunk -> Manager -> Data Inputs -> UDP. Verify that UDP port is 514, and sourcetype is set as ns_log.

12.  Navigate to App -> Manage apps. Launch Splunk for Sitrix Netscaler. Navigate to App Firewall. If it’s configured correctly, there should be picture like this.

Let us know if you have any feedback.