0

I have tried to make Netscaler log the source IP of all traffic that's destined to the Netscaler. Is this possible?

To be clear I don't want to forward the client-IP to a backend server, I want to log the source IP of all traffic that reaches the Netscaler on a log on the Netscaler and then maybe send that to a syslog server. If this would be possible to do on a specific VIP that'd be gold.

Thanks

krt
  • 274
  • 1
  • 2
  • 12

2 Answers2

3

Depending on the type of traffic you want to be logged, and the components that you are using, you have some different options.

All starts with the following:

Create a Message Action (under System --> Auditing --> Message actions), and use the following expression:

CLIENT.IP.SRC

You also have to define the log level under which the message should be logged. I'd recommend to use at least the INFORMATIONAL level, as DEBUG will generate massive amounts of log entries over time.

Of course, it is possible to add additional data to the log message.

Second, if you want to push messages to an external syslog server, you should add the syslog server as well:

  • Go to System --> Auditing --> Syslog --> Servers and add the server.
  • Make sure you enable the option: "User Configurable Log Messages".
  • Next, create the logging policy, and set it to true.

If you are using Content Switching, you can attach the log message to the content switching policy, by selecting the appropriate message in the dropdown box while editing the policy.

If you are using plain load balancing, you can create a responder policy, with the policy expression set to true, selecting the log message in the dropdown box, and last but not least: setting the action to NOOP.

You can then bind the responder policy to the load balancers that require logging of the client source IP.

Note: Beware of NAT, as it might obfuscate the real client IP!

StackzOfZtuff
  • 1,842
  • 13
  • 21
Jan
  • 121
  • 3
  • Thank you very much for your answer! I'll try your suggestions. – krt Feb 22 '17 at 09:28
  • Sorry I do have one question to your answer. What do you mean by "set policy expression to true" ? Am I supposed input "TRUE" in the expression field? Or is there an operator I need to use? – krt Feb 22 '17 at 09:37
  • Is it "ns_true" that you're referring to? – krt Feb 22 '17 at 09:48
  • I tried to use TRUE and it seems to work fine :) – krt Feb 22 '17 at 10:37
  • Hi krt, sorry for the delayed reply. Use advanced policy expressions (true) wherever you can, as using classic expressions (ns_true) will limit your possibilities drastically. Almost all policy modules support advanced policy expressions nowadays. So yes, "true" should work :) – Jan Feb 22 '17 at 21:21
  • I'm actually really happy about this. Example log: `2017/09/04:23:21:29 GMT HOSTNAME 0-PPE-1 : TCP CONN_TERMINATE 4243829 0 :  Source :63487 - Destination :443 - Start Time 2017/09/04:23:21:29 GMT - End Time 2017/09/04:23:21:29 GMT - Total_bytes_send 287 - Total_bytes_recv 165` Oddly though, it does not include the VIP IP or port, which does make them somewhat less useful. – Cameron Kerr Sep 04 '17 at 23:35
0

To do this in the typical NetScaler manner, one would use IPFIX (a more modern version of NetFlow), or as Citrix call it "AppFlow" -- which is a bunch of templates defined in IPFIX. You'd need something to collect it (newest versions of Logstash can do this using the logstash-codec-netflow), but it would give you sufficient information to build up a complete log of front-and-back end connections, and not just for HTTP, but also for TCP.

... bit more of a long road option though.

You would also use this for Web Logging (ie. HTTP access logs).

Cameron Kerr
  • 4,069
  • 19
  • 25
  • But don't go down that route if version is less than 11.0 (at least 10.5 doesn't seem to work -- possibly might be GSLB related). – Cameron Kerr Sep 04 '17 at 05:11