Chapter 3
Audit Logging
Topics:
•Configuring the NetScaler Appliance for Audit Logging
•Installing and Configuring the NSLOG Server
•Running the NSLOG Server
•Customizing Logging on the NSLOG Server
•Default Settings for the Log Properties
•Sample Configuration File (audit.conf)
Auditing is a methodical examination or review of a condition or situation. The Audit Logging feature enables you to log the Citrix® NetScaler® states and status information collected by various modules in the kernel and in the
SYSLOG is a standard protocol for logging. It has two components─ the SYSLOG auditing module, which runs on the NetScaler appliance, and the SYSLOG server, which can run on the underlying FreeBSD operating system (OS) of the NetScaler appliance or on a remote system. SYSLOG uses user data protocol (UDP) for the transfer of data.
Similarly, the native NSLOG protocol has two components─ the NSLOG auditing module, which runs on the NetScaler appliance, and the NSLOG server, which can run on the underlying FreeBSD OS of the NetScaler appliance or on a remote system. NSLOG uses transmission control protocol (TCP) for transfer of data.
When you run NSLOG or a SYSLOG server, it connects to the NetScaler appliance. The NetScaler appliance then starts sending all the log information to the SYSLOG or NSLOG server, and the server can filter the log entries before storing them in a log file. An NSLOG or SYSLOG server can receive log information from more than one NetScaler appliance and a NetScaler appliance can send log information to more than one SYSLOG server or NSLOG server.
The log information that a SYSLOG or NSLOG server collects from a NetScaler appliance is stored in a log file in the form of messages. These messages typically contain the following information:
wThe IP address of a NetScaler appliance that generated the log message
wA time stamp
wThe message type
wThe predefined log levels (Critical, Error, Notice, Warning, Informational, Debug, Alert, and Emergency)
wThe message information
71
