ADC

Audit logging

Auditing is a methodical examination or review of a condition or situation. The Audit Logging feature enables you to log the Citrix ADC states and status information collected by various modules in the kernel and in the user-level daemons. For audit logging, you can use the SYSLOG protocol, the native NSLOG protocol, or both.

SYSLOG is a standard protocol for logging. It has two components: the SYSLOG auditing module, which runs on the Citrix ADC appliance, and the SYSLOG server, which can run on the underlying FreeBSD operating system (OS) of the Citrix ADC appliance or on a remote system. SYSLOG uses user data protocol (UDP) for data transfer.

Similarly, the native NSLOG protocol has two components─ the NSLOG auditing module, which runs on the Citrix ADC appliance, and the NSLOG server, which can run on the underlying FreeBSD OS of the Citrix ADC appliance or on a remote system. NSLOG uses transmission control protocol (TCP) for data transfer.

When you run a SYSLOG or NSLOG server, it connects to the Citrix ADC appliance. The Citrix ADC appliance then starts sending all the log information to the SYSLOG or NSLOG server, and the server can filter the log entries before storing them in a log file. An NSLOG or SYSLOG server can receive log information from more than one Citrix ADC appliance, and a Citrix ADC appliance can send log information to more than one SYSLOG server or NSLOG server.

If multiple SYSLOG servers are configured, the Citrix ADC appliance send its SYSLOG events and messages to all the configured external log servers. This results in storing redundant messages and makes monitoring difficult for system administrators. To address this issue, the Citrix ADC appliance offers load balancing algorithms that can load balance the SYSLOG messages among the external log servers for better maintenance and performance. The supported load balancing algorithms include RoundRobin, LeastBandwidth, CustomLoad, LeastPackets, and AuditlogHash.

Note

The Citrix ADC appliance can send audit log messages up to 16 KB to an external SYSLOG server.

The log information that a SYSLOG or NSLOG server collects from a Citrix ADC appliance is stored in a log file in the form of messages. These messages typically contain the following information:

  • The IP address of a Citrix ADC appliance that generated the log message.
  • A time stamp
  • The message type
  • The predefined log levels (Critical, Error, Notice, Warning, Informational, Debug, Alert, and Emergency)
  • The message information

To configure audit logging, you first configure the audit modules on the Citrix ADC appliance. That involves creating audit policies and specifying the NSLOG server or SYSLOG server information. You then install and configure the SYSLOG or the NSLOG server on the underlying FreeBSD OS of the Citrix ADC appliance or on a remote system.

Note:

Because SYSLOG is an industry standard for logging program messages, and various vendors provide support, this documentation does not include SYSLOG server configuration information.

The NSLOG server has its own configuration file (auditlog.conf). You can customize logging on the NSLOG server system by making additional modifications to the configuration file (auditlog.conf).

Audit logging