-
Getting Started with NetScaler
-
Deploy a NetScaler VPX instance
-
Optimize NetScaler VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply NetScaler VPX configurations at the first boot of the NetScaler appliance in cloud
-
Configure simultaneous multithreading for NetScaler VPX on public clouds
-
Install a NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for installing NetScaler VPX virtual appliances on Linux-KVM platform
-
Provisioning the NetScaler virtual appliance by using OpenStack
-
Provisioning the NetScaler virtual appliance by using the Virtual Machine Manager
-
Configuring NetScaler virtual appliances to use SR-IOV network interface
-
Configuring NetScaler virtual appliances to use PCI Passthrough network interface
-
Provisioning the NetScaler virtual appliance by using the virsh Program
-
Provisioning the NetScaler virtual appliance with SR-IOV on OpenStack
-
Configuring a NetScaler VPX instance on KVM to use OVS DPDK-Based host interfaces
-
-
Deploy a NetScaler VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Protect AWS API Gateway using the NetScaler Web Application Firewall
-
Configure a NetScaler VPX instance to use SR-IOV network interface
-
Configure a NetScaler VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a NetScaler VPX instance on Microsoft Azure
-
Network architecture for NetScaler VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a NetScaler VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Deploy a NetScaler high-availability pair on Azure with ALB in the floating IP-disabled mode
-
Configure a NetScaler VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the NetScaler high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure a NetScaler VPX standalone instance on Azure VMware solution
-
Configure a NetScaler VPX high availability setup on Azure VMware solution
-
Configure address pools (IIP) for a NetScaler Gateway appliance
-
Deploy a NetScaler VPX instance on Google Cloud Platform
-
Deploy a VPX high-availability pair on Google Cloud Platform
-
Deploy a VPX high-availability pair with external static IP address on Google Cloud Platform
-
Deploy a single NIC VPX high-availability pair with private IP address on Google Cloud Platform
-
Deploy a VPX high-availability pair with private IP addresses on Google Cloud Platform
-
Install a NetScaler VPX instance on Google Cloud VMware Engine
-
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
Web Application Firewall protection for VPN virtual servers and authentication virtual servers
-
On-premises NetScaler Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps and Desktops for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the NetScaler appliance
-
-
Monitoring NetScaler and applications using Prometheus
-
Exporting audit logs and events directly from NetScaler to Splunk
-
-
-
-
Authentication and authorization for System Users
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Monitoring NetScaler, applications, and application security using Prometheus
Metrics are a numeric representation of data that are measured over a certain period of time. Metric data is useful to track the health of a system over time. Prometheus is an open-source monitoring tool that collects metrics data and stores that data with a time stamp at which the data was recorded.
By monitoring and analyzing metrics, you can track the health of your applications, detect any anomalies, create alerts, and take necessary corrective actions to ensure robust software delivery.
NetScaler now supports directly exporting metrics to Prometheus. You can use the rich set of metrics provided by NetScaler ADC to monitor NetScaler health as well as application health. For example, you can gather metrics on CPU and memory usage to know the NetScaler health. Similarly, you can use metrics like the number of HTTP requests received per second or the number of active clients to monitor application health.
Export of metrics from NetScaler to Prometheus
NetScaler supports the Prometheus pull mode as well as push mode. In the pull mode, you need to configure a time series profile that Prometheus queries at regular intervals and pulls the metrics data directly without an exporter resource in between. With pull mode, you can enable read-only access for a user without superuser privileges to export metrics to Prometheus. Using Grafana, you can visualize the NetScaler metrics exported to Prometheus for easier interpretation and understanding.
The following diagram shows a Prometheus and Grafana integration with NetScaler.
Configure the export of metrics from NetScaler to Prometheus and visualization using Grafana
You must perform the followings steps to configure the export of metrics from NetScaler to Prometheus and visualize it using Grafana.
- Configure NetScaler with a time series analytics profile for exporting metrics to Prometheus.
- Install prometheus and configure it with the NetScaler specific parameters.
- Add Prometheus as a data source in Grafana.
- Create visualization in Grafana
Configure a time series analytics profile on NetScaler to support the Prometheus pull mode
Do the following steps for configuring pull mode using the NetScaler CLI:
-
Create an analytics profile with type as time series. Specify the schema file with the required NetScaler metrics.
add analytics profile <timeseries_profile_name> -type timeseries -schemaFile <name_of_schema_file> -outputMode Prometheus -serveMode PULL -metrics ENABLED
In this command:
-
timeseries_profile_name
: Specify the time series profile name. -
schemaFile
: Specify the name of the schema file with NetScaler counters. By default, a schema file/var/metrics_conf/schema.json
with a list of counters is configured. A reference schema filereference_schema.json
with all the supported counters is also available under the path/var/metrics_conf/
. This schema file can be used as a reference to build a custom list of counters. When you specify the schema file, the path of the schema file/var/metrics_conf/
is automatically added and you need to mention only the schema file name. For example, if you have created a schema fileschema1.json
with a custom list of counters at/var/metrics_conf/
, you need to specify only the file name asschema1.json
. -
outputMode
: Set the output mode as Prometheus. -
serveMode
: Specify Prometheus pull mode. -
metrics
: Enable collecting metrics from NetScaler.
-
Note:
You can configure an analytics profile with all the necessary parameters using the add command. If you need to make changes after creating the profile, you can use the set command to take the appropriate action such as disabling metrics and changing the server mode. You can configure read-only Prometheus access for a non-super user. For more information, see configure read-only Prometheus access for a non-superuser.
Install and configure Prometheus for metrics export from NetScaler
You can download Prometheus from repositories such as DockerHub or Quay or the official Prometheus repository.
To run Prometheus as a Docker container use the following command:
docker run -dp 39090:9090 -v /tmp/prometheus.yml:/etc/prometheus/prometheus.yml --name native_prom prom/prometheus:latest > **Note:** > > Here, `/tmp/prometheus.yml` is used as the path to the `prometheus.yml` file. Instead of that, you can specify the path on your virtual machine.
You must edit the prometheus.yml
with the NetScaler parameters.
To export metrics from NetScaler, you must specify the following NetScaler specific parameters in the Prometheus YAML scrape configuration section. The scrape configuration section specifies a set of targets and configuration parameters describing how to scrape them.
-
metrics_path
: Specify the HTTP resource path in NetScaler (/nitro/v1/config/systemfile) to fetch metrics. -
username
: Specify the NetScaler user name. -
password
: Specify the NetScaler password. -
targets
: Specify the IP address of the NetScaler from which you need to export metrics the metrics and the port you want to expose. -
filename
: Specify the name of the configured time series profile in place oftimeseries_profile_name
at themetrics_prom_<timeseries_profile_name>.log
file. -
filelocation
: Specify the file location as/var/nslog
.
Following is the scrap configuration section of the Prometheus YAML to add the NetScaler IP address as a target on Prometheus to export metrics. Here, HTTP is used as the scheme. You can use either HTTP or HTTPS.
scrape_configs:
- job_name: 'vpx2_metrics_direct'
metrics_path: /nitro/v1/config/systemfile
params:
args: ['filename:metrics_prom_ns_analytics_time_series_profile.log,filelocation:/var/nslog']
format: ['prometheus']
basic_auth:
username: 'prom_user'
password: 'user_password'
scheme: http
scrape_interval: 30s
static_configs:
- targets: ['10.102.34.231:80']
<!--NeedCopy-->
Add Prometheus as a data source in Grafana
If you need visualization of metrics using Grafana dashboards, you need to add Prometheus as a data source in Grafana. For more information, see add Prometheus as a data source in Grafana.
Create the visualization of metrics in Grafana
You can create a Grafana dashboard and select the key metrics and the appropriate visualization-type.
The following procedure shows adding a metric to the Grafana panel and creating a sample visualization dashboard.
- Specify the Panel Title.
- In the Query tab, for the query A, specify the required metric.
- In the Settings tab, select the Visualization type.
You can modify the data and its representation in Grafana. For more information, see the Grafana Documentation.
Following is a sample Grafana dashboard with a few NetScaler metrics:
In this dashboard, you can see graphs for different NetScaler metrics such as:
-
vsvr_tot_Hits
: Shows the number of requests received by the virtual server. -
cc_cpu_use
: Shows the CPU utilization percentage. -
http_tot_Requests
: Shows HTTP requests received. -
serv_tot_serviced
: Shows the request being serviced. -
mem_cur_used_size
: Shows the currently used memory of the NetScaler appliance.
Sample Prometheus graphs
Using the Prometheus expression browser, you can display the time series metrics collected by the Prometheus server. You can access the expression browser by pointing to prometheu-server-ip-address/graph
in your browser. You can enter an expression and see the result either as a table or graph over time. Specify which exact metric that you want to display by typing in the metric name into the Expression field. You can specify multiple counters using different panels.
The following diagram shows Prometheus graphs for two NetScaler metrics cpu_use
and http_tot_requests
.
Sample Grafana dashboard
You can download the sample dashboards from NetScaler downloads page.
The following is a sample Grafana dashboard with the option to see the various metrics of overall infrastructure at one place like NetScaler health, virtual server status, application health (HTTP and TCP apps), and application security (SSL apps).
You can expand the corresponding section in the dashboard to view the detailed visualization of each section such as HTTP Apps, SSL Apps, TCP Apps, virtual server stats (vStats), and NetScaler stats.
The following diagram shows a sample Grafana dashboard with NetScaler stats expanded:
Additional information
Schema with the required NetScaler counters to export
Metrics collector exports counters present in the configured schema file. The /var/metrics_conf/schema.json
file is the default schema file configured in the analytics profile.
The schema file is a list of entity types and associated counters. In the schema, all global or system level counters are grouped under the entity type netscaler
. Some of the global counters are CPU usage (cpu_use
), management CPU usage (mgmt_cpu_use
), and total number of HTTP requests received (http_tot_Requests
). The counters specific to service groups, lbvserver
, csvserver
, and so on are listed under the respective entity types.
Following is a sample of counters in the schema.json
file for the authentication virtual server (vserver_authn
) entity.
"vserver_authn":
[
{"name":"si_tot_Requests","rate":"True"},
{"name":"si_tot_Responses","rate":"True"},
{"name":"si_tot_RequestBytes","rate":"True"},
{"name":"si_cur_state","rate":"False"},
{"name":"si_tot_ResponseBytes","rate":"True"},
{"name":"si_peer_port","rate":"True"},
{"name":"vsvr_Protocol","rate":"False"}
]
The following table explains the counters mentioned in this sample:
Counter name | Description |
---|---|
si_tot_Requests |
Total number of requests received on this service or virtual server. |
si_tot_Responses |
Total number of responses received on this service or virtual server. |
si_tot_RequestBytes |
Total number of request bytes received on this service or virtual server. |
si_cur_state |
Current state of the virtual server. |
si_tot_ResponseBytes |
Total number of response bytes received on this service or virtual server. |
si_peer_port |
The port on which the service is running. |
vsvr_Protocol |
Protocol associated with the virtual server. |
The rate
field can be set as True
if the rate value a counter needs to be exported. For example, the rate of si_tot_Requests
is exported if the rate
is set to True
for si_tot_Requests
.
Following is a sample of counters from the netscaler
entity.
"netscaler":
[
{"name":"cpu_use","rate":"False"},
{"name":"mgmt_cpu_use","rate":"False"},
{"name":"tcp_tot_rxpkts","rate":"True"},
{"name":"tcp_tot_rxbytes","rate":"True"},
{"name":"tcp_tot_txpkts","rate":"True"},
{"name":"tcp_tot_txbytes","rate":"True"},
{"name":"tcp_cur_ClientConnEst","rate":"False"},
{"name":"tcp_cur_ServerConnEst","rate":"False"},
{"name":"tcp_cur_ClientConn","rate":"False"},
{"name":"tcp_cur_ClientConnClosing","rate":"False"},
{"name":"tcp_tot_ClientOpen","rate":"True"},
{"name":"tcp_cur_ServerConn","rate":"False"},
{"name":"tcp_cur_ServerConnClosing","rate":"False"},
{"name":"http_tot_Requests","rate":"True"},
{"name":"http_tot_Responses","rate":"True"},
{"name":"http_tot_Gets","rate":"True"},
{"name":"http_tot_Posts","rate":"True"},
{"name":"http_tot_Others","rate":"True"},
]
The following table explains the counters mentioned in this sample:
Counter name | Description |
---|---|
cpu_use |
Tracks the CPU utilization percentage (CPU utilization percentage * 10). |
tcp_tot_rxpkts |
TCP packets received. |
tcp_tot_rxbytes |
Bytes of TCP data received. |
tcp_tot_txpkts |
TCP packets transmitted. |
tcp_tot_txbytes |
Bytes of TCP data transmitted. |
tcp_cur_ClientConnEst |
Current client connections in the Established state, which indicates that data transfer can occur between the NetScaler appliance and the client. |
tcp_cur_ServerConnEst |
Current server connections in the Established state, which indicates that data transfer can occur between the NetScaler appliance and the server. |
tcp_cur_ClientConn |
Client connections, including connections in the Opening, Established, and Closing state. Server connections, including connections in the Opening, Established, and Closing state. |
tcp_cur_ClientConnClosing |
Client connections in the Closing state, which indicates that the connection termination process has initiated but is not complete. |
tcp_cur_ServerConn |
Server connections, including connections in the Opening, Established, and Closing state. |
tcp_cur_ServerConnClosing |
Server connections in the Closing state, which indicates that the connection termination process has initiated but is not complete. |
http_tot_Requests |
This counter tracks HTTP requests received using the GET method. |
http_tot_Responses |
This counter tracks HTTP requests received using the POST method. |
http_tot_Gets |
This counter tracks HTTP requests received using the GET method. |
http_tot_Posts |
This counter tracks HTTP requests received. |
http_tot_Others |
This counter tracks HTTP requests received using methods other than GET and POST. |
Following is a sample of counters from the vserver_ssl
entity.
"vserver_ssl":
[
{"name":"ssl_ctx_tot_session_hits","rate":"True"},
{"name":"ssl_ctx_tot_session_new","rate":"True"},
{"name":"ssl_ctx_tot_enc_bytes","rate":"True"},
{"name":"ssl_ctx_tot_dec_bytes","rate":"True"},
]
The following table explains the SSL counters mentioned in this sample:
Counter name | Description |
---|---|
ssl_ctx_tot_session_hits |
This counter tracks the number of session hits. |
ssl_ctx_tot_session_new |
This counter tracks the number of new sessions created. |
ssl_ctx_tot_enc_bytes |
This counter tracks the number of encrypted bytes per SSL virtual server. |
ssl_ctx_tot_dec_bytes |
This counter tracks the number of bytes decrypted per SSL virtual server. |
Configure read-only Prometheus access for a non-super user
Perform the following steps to configure read-only Prometheus access for a non-super user.
-
Add a new user to the NetScaler appliance.
add system user <ns_user_name> <ns_user's_password> -externalAuth enabled -promptString user-%u-at-%T logging enaBLED
Example :
add system user nspaul nspaul -externalAuth enabled -promptString user-%u-at-%T logging enaBLED
-
Create a command policy for a read only user. This command policy allows read-only access from any file under the
/var/nslog/ directory
.add system cmdPolicy read-only-prometheus ALLOW \"\(^man.\*)|\(^show\s+\(?!system)\(?!configstatus)\(?!ns ns\.conf)\(?!ns savedconfig)\(?!ns runningConfig)\(?!gslb runningConfig)\(?!audit messages)\(?!techsupport).\*)|\(^stat.\*)|\(show system file .\* -filelocation \"/var/nslog\")\"
-
If metrics are only written to a certain file, you may even limit user access such that they can only get that specific file.
add system cmdPolicy read-only-prometheus ALLOW \"\(^man.\*)|\(^show\s+\(!system)\(!configstatus)\(!ns ns\.conf)\(!ns savedconfig) \(!ns runningConfig)\(!gslb runningConfig)\(!audit messages)\(!techsupport).\*)|\(^stat.\*) |\(show system file metrics\_prom\_<name\_of\_timeseries\_profile>.log -filelocation \"/var/nslog\")\"
Note:
In the
show system file
command, specify the name of the time series profile you have configured in place ofname_of_ timeseries_profile
. -
Bind a user with the command policy.
bind system user <userName> \(\(<policyName> <priority>) | -partitionName <string>)
For example :
bind system user user1 read-only-prometheus 0
To unbind and remove a user from the command policy use the following commands:
-
Unbind a configured user from the system command policy.
unbind system user <userName> \(<policyName> | -partitionName <string>
For example:
unbind system user user1 read-only-prometheus
-
Remove the command Policy from NetScaler.
rm system cmdPolicy read-only-prometheus
Subscription of counters for multiple time series profiles
Now, NetScaler supports creating multiple time series profiles and specifies different set of counters for each profile. Also, you can export only the counters based on your requirements.
You must create multiple schema.json
files containing the necessary counters with unique names and the .json
extension to configure multiple time series profiles. A reference schema file reference_schema.json
is available under the path /var/metrics_conf/
. You can modify the reference schema as per your requirements and use accordingly.
The configuration of the two new time series profiles is as follows:
add analytics profile ns_analytics_timeseries_profile_1 -type timeseries -schemaFile schema1.json
set analytics profile ns_analytics_timeseries_profile_1 -outputMode prometheus -serveMode PULL -metrics ENABLED
add analytics profile ns_analytics_timeseries_profile_2 -type timeseries -schemaFile schema2.json
set analytics profile ns_analytics_timeseries_profile_2 -outputMode prometheus -serveMode PULL -metrics ENABLED
In this example, schema1.json
and schema2.json
have different sets of counters.
Prometheus configuration
Configuration of a sample prometheus.yml
file is as follows:
scrape_configs:
- job_name: 'vpx2_metrics_direct'
metrics_path: /nitro/v1/config/systemfile
params:
args: ['filename:metrics_prom_ns_analytics_time_series_profile.log,filelocation:/var/nslog']
format: ['prometheus']
basic_auth:
username: 'prom_user'
password: 'user_password'
scheme: https
scrape_interval: 30s
static_configs:
- targets: ['<ADC1-ip>:<port>', '<ADC2-ip>:<port>']
<!--NeedCopy-->
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.