Citrix NetScaler

When you configure your Citrix NetScaler to send log data to USM Appliance, you can use the Citrix NetScaler plugin to translate raw log data into normalized events for analysis. The table below provides some basic information for the plugin.

Plugin Information
Device Details
Vendor Citrix
Device Type Load Balancer
Connection Type Syslog
Data Source Name citrix-netscaler
Data Source ID 1678

Integrating Citrix NetScaler

Before you configure the Citrix NetScaler integration, you must have the IP Address of the USM Appliance Sensor.

To configure Citrix NetScaler to send log data to USM Appliance

  1. Log in to NetScaler and select Configuration from the top menu.
  2. In the navigation pane, expand the System node then the Auditing node.
  3. Click Syslog.
  4. In the right pane, add a new auditing server

    1. On the Servers tab, click Add.
    2. In the Auditing Type field, SYSLOG is selected by default.
    3. In IP Address, enter the IP address of the USM Appliance Sensor.
    4. In Port Number, enter 514.
    5. In Log Levels, select All.
    6. From the Log Facility list, select the appropriate facility.
    7. In Date Format, choose MMDDYYYY.
    8. For Time Zone, select GMT.
    9. Select TCP Logging or ACL Logging.

      Note: LevelBlue supports both options, but TCP Logging uses fewer resources.

    10. Click Create.
  5. Add a policy for the new auditing server

    1. On the Policies tab, click Add.
    2. In the Auditing Type field, SYSLOG is selected by default.
    3. In Server, select the server created in Step 4.
    4. Click Create.
  6. Bind the policy globally

    1. On the Policies tab, click Action and select Classic Policy Global Bindings.
    2. Select the policy created in Step 5.
    3. Click Bind and then Done.

Plugin Enablement

For plugin enablement information, see Enable Plugins.

Troubleshooting

For troubleshooting, refer to the vendor documentation:

How to Configure Syslog on a NetScaler Appliance

Configuring the NetScaler Appliance for Audit Logging