ADC

Exporting audit logs and events directly from NetScaler to Splunk

Audit logging enables you to log the NetScaler states and status information collected by various modules in NetScaler. By reviewing the logs, you can troubleshoot problems or errors and fix them.

You can now export audit logs and events from NetScaler to industry standard log aggregator platforms such as Splunk and get meaningful insights.

There are multiple ways to export audit logs from NetScaler to Splunk. You can either configure Splunk as a syslog server or as an HTTP server. This topic provides information on configuring Splunk as an HTTP server using the Splunk HTTP event collector. Using the HTTP event collector you can send audit logs over HTTP (or HTTPS) directly to the Splunk platform from your NetScaler.

Configure exporting audit logs from NetScaler to Splunk

To configure the export of audit logs you must perform the following steps:

  1. Configure the HTTP event collector on Splunk.
  2. Create a collector service and time series analytics profile on NetScaler.

Configure HTTP event collector on Splunk

You can forward audit logs to Splunk by configuring an HTTP event collector.

See the Splunk documentation for information on how to configure the HTTP event collector.

Once you have configured the HTTP event collector, copy the authentication token and save it for reference. You need to specify this token while configuring the analytics profile on NetScaler.

Configure time series analytics profile on NetScaler

Do the following to export NetScaler audit logs to Splunk.

  1. Create a collector service for Splunk.

    add service <collector> <splunk-server-ip-address> <protocol> <port>
    

    Example:

    add service splunk_service 10.102.34.155 HTTP 8088
    

    In this configuration:

    • ip-address: Specify the Splunk server IP address.
    • service-name: Specify a name for the collector service.
    • protocol: Specify the protocol as HTTP or HTTPS
    • port: Specify the port number.
  2. Create a time series analytics profile.

        add analytics profile <profile-name> -type timeseries -auditlogs enabled -collectors <collector-name>  -analyticsAuthToken <"auth-token">
        -analyticsEndpointContentType <"application/json"> -analyticsEndpointMetadata <"meta-data-for-endpoint:"> -analyticsEndpointUrl <"endpoint-url">
    

    Example:

        add analytics profile audit_profile -type timeseries -auditlogs enabled -collectors splunk_service -analyticsAuthToken "Splunk 1234-5678-12345" -analyticsEndpointContentType "application/json" -analyticsEndpointMetadata "{\"event\":[" -analyticsEndpointUrl "/services/collector/event"
    

    In this configuration:

    • auditlogs: Specify the value as enabled to enable audit logging.
    • collectors: Specify the collector service created for Splunk. For example, “splunk_service” is the collector service created in step 1.
    • analyticsAuthToken: Specify the authentication token to be included in the authorization header while sending logs to Splunk. This token is the authentication token created on the Splunk server while configuring the HTTP event collector.

    • analyticsEndpointContentType: Specify the format of the logs.
    • analyticsEndpointMetadata: Specify the meta data that is endpoint specific.

    • analyticsEndpointUrl: Specify the location in the endpoint to export logs.

    Note:

    You can modify the time series analytics profile parameters using the set analytics profile command.

  3. Verify the analytics profile configuration using the show analytics profile command.

    # show analytics profile audit_profile
    
    1)    Name: audit_profile
          Collector: splunk
          Profile-type: timeseries
                Output Mode: avro
                Metrics: DISABLED
                  Schema File: schema.json
                  Metrics Export Frequency: 30
                Events: DISABLED
                Auditlog: ENABLED
                Serve mode: Push
           Authentication Token: <auth-token> 
           Endpoint URL: /services/collector/event
           Endpoint Content-type: Application/json
           Endpoint Metadata: Event:
           Reference Count: 0
    

Once the configuration is successful, the audit logs are sent as HTTP payloads to Splunk and you can view it on the Splunk application user interface.

Exporting audit logs and events directly from NetScaler to Splunk