Body
Summary
As with any system, there are a variety of logs that are tracked by Citrix ADC's: management access, configuration, system heartbeats, etc. However, this document covers policy logging which is similar to firewall logs. These logs will tell you when and if a client has been allowed to access a policy or not. What is interesting is that you can actually send customized messages to the logging servers to help with troubleshooting.
For the Citrix ADC, we need to define the Syslog servers globally before we can use them in a Message Action that can be bound to a Responder Policy
Systems Involved
- adc01.nic.edu/adc02.nic.edu, tadc01.nic.edu/tadc02.nic.edu
- Syslog destinations
- monitor.nic.edu
- syslog-ng.nic.edu
Overview
Setting up Syslog Server destinations in the Global configuration
Adding a Syslog Server
- Navigate to System->Audting->Syslog and click on the Servers Tab
- Click on Add
- Type in the Name and IP address of the server. In this case, we are adding the What's Up Gold (WUG) server as the syslog destination
- For the Logging Levels, select Custom.
- Select the Local Timezone and finally click User Configurable Log Messages
- Click Create
A word on Logging Levels
We have to be careful here and classify our log messages accordingly. Information and Debug levels are very verbose. If you elect to send messages at this level, be prepared to sift through a fair number of messages. When you navigate between screens on the ADC GUI, those generate commands that are logged as Informational. This would be great for Audit Logs, but not necessarily to find whether client has been allowed or denied access to a virtual server.
Since we are sending these logs to WUG, it's good to know how WUG treats logs from the ADC and classifies them accordingly since the ADC has 8 levels and WUG has 5. Compare the levels below:
<-- What's Up Gold
<-- Citrix ADC
|
Citrix ADC
|
What's Up Gold
|
WUG Color
|
|
Emergency
|
Critical
|
Red !
|
|
Alert
|
Critical
|
Red !
|
|
Critical
|
Critical
|
Red !
|
|
Error
|
Error
|
Red X
|
|
Warning
|
Warning
|
Orange
|
|
Notice
|
Warning
|
Orange
|
|
Informational
|
informational
|
Blue
|
|
Debug
|
Other
|
Grey
|
Here's how these alerts look in the WUG Log Viewer
So, all that said, this is why we selected WARNINGS and NOTICE. Given the amount of traffic that these Virtual Servers will eventually see, we do NOT want to have WUG track everything as Critical or Error. Informational would include a lot of non-Virtual Server related messages, so we will leverage the Severity Type of Warning using both Warning and Notice logging levels
- Now that we have created the Syslog/Auditing Server, we need to bind it to the ADC
Creating the Syslog Policy
- Under the System->Audting->Syslog, click on the Policies tab
- Name the monitor
syslog_<servername> and select Advanced Policy
- Select the syslog server you created earlier and click on Create
- Now that the policy has been created, we will need to bind it globally to the ADC so we can use it. Click on the Select Action button and select Advanced Policy Global Bindings
- Click on Add Binding
- Select the policy you just created and set the Global Bind Type to SYSTEM_GLOBAL
- Click on Bind and now we have added this server as a syslog destination to define Message Actions to be assigned to a Responder Policy
Creating the Message Action
Message Actions allow you to define what message you want to send to the Syslog server as well as the log level the message is sent as. You can customize these to send a very specific message for a particular Responder Policy, or a very generic one to be shared among many RP's.
- Navigate to System->Audting->Message Actions. Here you can see several existing Message Actions:
The _ds_<DATA SET NAME> designates that this Action is based on a Data Set that is composed of a list of IP addresses. Here, there are two Data Sets being used by the Responder Policies that these Message Actions are bound to: one for the SMTP relay Virtual Server, and one for the Campus Logic Sandbox environment. Note the Log Level that is assigned to each Message Action. For a RESET action where we are "denying" hosts from the Virtual Server, we have it at the WARNING log level. For any host that is allowed to access the Virtual Server, that message is logged at the NOTICE log level. Keep in mind that unless the Message Action is bound to the specific Responder Policy, that the log messages will NOT be sent to the syslog server.
- If you double click on one of these, you can see that the Message Action just has three fields: Name, Log Level, and Expression (the message sent to the log server).
- When called, the Message Action above just sends the text in quotes to the log server along with the IP address of the Client. In this case, it will print the quoted text along with the IP address of the client who has triggered the Responder policy. The message in the syslog server looks like:
Binding a Message Action to a Responder Policy
- Navigate to AppExpert->Responder->Policies and Edit the Policy you want to bind the Message Action to
- Click on the down arrow of the Log Action field and select the Log (Message) Action you created earlier:
- Click OK at the bottom of the Responder Policy for the Log Action to be applied
Now when you have an event that triggers this Responder policy, it will send out a log message.