Configuring Audit Server Logging on a Server system
Use the following process to configure audit server logging on the server computer, which can be running Windows, Linux, or FreeBSD.
1. Install audit server logging as described in “Installing the Audit Server Files,” on page 42.
2. Using a text editor, make the following changes in the auditlog.conf file:
A. Add the IP address of the audit server in the MYIP field.
B. Define the log filters and log properties.
C. Add the IP address of the Citrix NetScaler System.
D. Verify the configuration.
3. Start audit server logging.
Defining Filters
Define filters in the configuration file (for example, auditlog.conf) to configure each Citrix NetScaler to log web transactions handled by the logging server.
Define log properties for each filter. The filter applies these log properties to the transactions that match the filter definition.
Defining Default Filters
To define the default filter, you can either use the filter in the sample configuration auditlog.conf file or modify it.
Creating Filters
To create a filter, type the following command in the auditlog.conf file:
filter <filterName> [IP <ip>] [NETMASK <mask>] [ON | OFF]
<filterName>, specify the name of the filter. (maximum of 64 alphanumeric characters)
<ip>, specify the IP addresses
<mask>, specify the subnet mask to be used on a subnet.
Specify ON to enable the filter to log transactions, or specify OFF to disable the filter. If no argument is specified, the filter is ON.
Examples
filter F1 IP 192.168.100.151 ON
To apply the filter F2 to IP addresses 192.250.100.1 to 192.250.100.254:
filter F2 IP 192.250.100.0 NETMASK 255.255.255.0 ON
Defining Log Properties
Log properties associated with the filter are applied to all the log entries present in the filter. The log property definition starts with the key word BEGIN and ends with END as illustrated in the following example:
BEGIN <filtername>
logFilenameFormat ...
logDirectory ...
logInterval ...
logFileSize ....
END
Entries in the definition can include the following:
• LogInterval specifies the interval at which new log files are created. Use one of the following values:
• Hourly - every hour
• Daily - every day at midnight
• Weekly - every Sunday at midnight
• Monthly- the first day of the month at midnight
• None - only once, when audit server logging starts.
• Size - only when the log file size limit is reached.
By default the LogInterval property is set to Hourly.
Example:
LogInterval Hourly
• LogFileSizeLimit specifies the maximum size (in MB) of the log file. A new file is created when the limit is reached.
Note that you can override the loginterval property by assigning size as its value.
The default LogFileSizeLimit is 10 MB.
Example:
LogFileSizeLimit 35
• LogFilenameFormat specifies the file name format of the log file. The name of the file can be of the following types:
• Static: A constant string that specifies the absolute path and the file name.
• Dynamic: An expression that includes the following format pecifiers:
• Date (%{format}t)
• % creates filename with NSIP
Example:
LogFileNameFormat Ex%{%m%d%y}t.log
This creates the first file name as Exmmddyy.log. New files are named:
Exmmddyy.log.0, Exmmddyy.log.1, and so on. In the following example, the new files are crated when the file size reaches 100MB.
Example:
LogInterval size
LogFileSize 100
LogFileNameFormat Ex%{%m%d%y}t
• logDirectory specifies the directory name format of the log file. The name of the file can be either of the following:
• Static: Is a constant string that specifies the absolute path and filename.
• Dynamic: Is an expression containing the following format specifiers:
• Date (%{format}t)
• % creates directory with NSIP
The directory separator depends on the operating system. In Windows, use the directory separator \.
Example:
LogDirectory dir1\dir2\dir3
In the other operating systems (Linux, FreeBsd, Mac, etc.), use the directory separator /.
Example:
LogDirectory dir1/dir2/dir3
Default Settings for the Log Properties
The following is an example of the default filter with default settings for the log properties:
begin default
logInterval Hourly
logFileSizeLimit 10
logFilenameFormat auditlog%{%y%m%d}t.log end default
Following are two examples of defining the default filters:
Example 1:
Filter f1 IP 192.168.10.1
This creates a log file for NSIP 192.168.10.1 with the default values of the
log in effect.
Example 2:
Filter f1 IP 192.168.10.1
begin f1
logFilenameFormat logfiles.log
end f1
This creates a log file for NSIP 192.168.10.1. Since the log file name format is specified, the default values of the other log properties are in effect.
Adding the IP Addresses of the System
In the configuration file, add the IP addresses of the system that performs the audit server logging and the Citrix NetScaler Systems whose events must be logged.
To add the IP addresses
1. At a command prompt, type the following command:
audserver -addns -f <directorypath>\auditlog.conf
<directorypath> specifies the path to the configuration file (for example auditlog.conf.)
You are prompted to enter the information for the following parameters:
NSIP specifies the IP address of the Citrix NetScaler System, for example, 10.102.29.1.
Userid specifies the username, for example, nsroot
Password specifies the password, for example, nsroot.
If you add multiple NetScaler IP addresses (NSIP), and later you do not want to log all of Citrix NetScaler System event details, you can delete the NSIPs manually by removing the NSIP statement at the end of the auditlog.conf file. During a failover setup, you must add both primary and secondary Citrix Netscaler IPs to auditlog.conf using the audserver command. Before adding the IP address, make sure the username and password exist on the system.
Verifying Configuration
Check the configuration file (auditlog.conf) for syntax correctness to enable logging to start and function correctly.
To verify configuration, at a command prompt, type the following command:
audserver -verify -f <directorypath>\auditlog.conf
<directorypath> specifies the path where the configuration file (auditlog.conf)resides.
Starting Audit Server Logging
To start audit server logging, enter the following command at a command prompt:
audserver -start -f directorypath\auditlog.conf
<directorypath>: Specifies the path to the configuration file
(auditlog.conf.)
Stopping Audit Server Logging
To stop audit server logging that starts as a background process in FreeBSD or Linux, use the following command:
audserver -stop
To stop audit server logging that starts as a service in Windows, use the following command:
audserver -stopservice
Sample Configuration File
Following is a sample configuration file:
##############################
# This is the Auditserver configuration file
# Only the default filter is active
# Remove leading # to activate other filters
##############################
MYIP <NSAuditserverIP>
MYPORT 3023
# Filter filter_nsip IP <Specify the NetScaler IP address to
filter on > ON
# begin filter_nsip
# logInterval Hourly
# logFileSizeLimit 10
# logDirectory logdir\%A\
# logFilenameFormat nsip%{%d%m%Y}t.log
# end filter_nsip
Filter default
begin default
logInterval Hourly
logFileSizeLimit 10
logFilenameFormat auditlog%{%y%m%d}t.log
end default
Checklist for Configuring Audit Server Logging
Use the following checklist when you configure audit server logging, and to troubleshoot problems:
1. Verify that the Citrix NetScaler System username and password are valid.
2. If there is a firewall between the NetScaler and logging machine, make sure the RPC 3010/3011 port is open.
3. Verify that the Citrix NetScaler is accessible from the log machine by doing the following:
• Ping the Citrix NetScaler IP address.
• Use FTP and Telnet to access the NetScaler.
4. Verify that the IP address of the system is present in the configuration file (auditlog.conf).
5. Verify that the Audit Server IP address is entered in the MYIP field in the auditlog.conf file.
No comments:
Post a Comment