Part 1: Getting Netscaler system data to Splunk

a) Configuring Splunk to listen on a UDP port for syslog data

b) Configuring Citrix NetScaler to send system/console data to Splunk

Part 2: Setting up your Splunk alert

Let’s Go…

a) Configuring Splunk to listen on a UDP port for syslog data

  1. Configure a UDP data input, if you haven’t already. You may use the standard 514 with the standard index, but I like to create one explicitly for the Netscaler devices. This allows me to dump it to a specific index, override the source name, and set the source type.
  2. Let’s say you wanted to configure 515/udp for this. From the Splunk Manager -> Data Inputs -> UDP -> Create a new listener, port 515. Set your source name override here (I use netscaler), Set sourcetype manual, Source_type ns_log.. this overrides the default udp:515 as the source. I also select ww-netscaler index here (world wide netscaler).
  3. There you have it, with the below steps, you should have working system/console logs from the Netscaler.
Splunk - Data Inputs
Splunk – Data Inputs

Splunk - Data Inputs - UDP (for Netscaler)
Splunk – Data Inputs – UDP (for Netscaler)

b) Configuring Citrix NetScaler to send system/console data to Splunk

Configure Audit Server and Audit Policy
Configure Audit Server and Audit Policy

 

  1. You can do this by clicking System -> Auditing -> Policies -> Servers tab.
  2. Right click and Add new Server. Enter your Splunk IP and port you set up as a listener earlier.
  3. Personally, I log everything except DEBUG. It’s up to you to figure out the differences and choose. Everything except debug will catch incorrect login attempts, which is currently the scope of this document.
  4. Under System -> Auditing -> Policies -> clickon the Policies tab; Right click, Add.
    Enter the policy name, Auditing Type: SYSLOG, Server: <Select the server you set up in step 2>.
  5. You’re done. Check Splunk for your data to ensure it’s being sent.
Netscaler - Configure Audit Server
Netscaler – Configure Audit Server

Netscaler - Bind Audit Policy to Audit Server
Netscaler – Bind Audit Policy to Audit Server

Part 2: Setting up your Splunk alert

Create your real time alert like below. The Search query is the most important part here. You need to ensure your eventtype matches. <… CHECK MY PROPS AND TRANSFORMS, I FORGET IF I DID ANY INTERESTING EXTRACTIONS …>

Splunk - Netscaler Failed Login Attempt Alert
Splunk – Netscaler Failed Login Attempt Alert

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

There you go. In the next feature, I will be showing you how to set up and ‘listen to’ AppFlow.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s