Audit logging


Citrix recommends you to update a SYSLOG or NSLOG configuration only during maintenance or downtime. If you update a configuration after creating a session, the changes are not applied to the existing session logs.

Auditing is a methodical examination or review of a condition or situation. The audit logging feature enables you to log the Citrix ADC states and status information collected by various modules. The log information can be in the kernel and in the user-level daemons. For audit logging, you can use the SYSLOG protocol, the native NSLOG protocol, or both.

SYSLOG is a standard protocol for logging. It has two components:

  • SYSLOG auditing module. Runs on the Citrix ADC appliance.
  • SYSLOG server. Runs on the underlying FreeBSD operating system (OS) of the Citrix ADC appliance or on a remote system.

SYSLOG uses a user data protocol (UDP) for data transfer.

Similarly, the native NSLOG protocol has two components:

  • NSLOG auditing module. Runs on the Citrix ADC appliance.
  • NSLOG server. Runs on the underlying FreeBSD OS of the Citrix ADC appliance or on a remote system.

NSLOG uses TCP for data transfer.

When you run a SYSLOG or NSLOG server, it connects to the Citrix ADC appliance. The Citrix ADC appliance then starts sending all the log information to the SYSLOG or NSLOG server. And the server filters the log entries before storing them in a log file. An NSLOG or SYSLOG server receives log information from more than one Citrix ADC appliance. The Citrix ADC appliance sends log information to more than one SYSLOG server or NSLOG server.

If multiple SYSLOG servers are configured, the Citrix ADC appliance sends its SYSLOG events and messages to all the configured external log servers. It results in storing redundant messages and makes monitoring difficult for system administrators. To address this issue, the Citrix ADC appliance offers load balancing algorithms. The appliance can load balance the SYSLOG messages among the external log servers for better maintenance and performance. The supported load balancing algorithms include RoundRobin, LeastBandwidth, CustomLoad, LeastPackets, and AuditlogHash.


The Citrix ADC appliance can send audit log messages up to 16 KB to an external SYSLOG server.

The log information that a SYSLOG or NSLOG server collects from a Citrix ADC appliance is stored in a log file in the form of messages. These messages typically contain the following information:

  • The IP address of a Citrix ADC appliance that generated the log message.
  • A time stamp
  • The message type
  • The predefined log levels (Critical, Error, Notice, Warning, Informational, Debug, Alert, and Emergency)
  • The message information

To configure audit logging, you first configure the audit modules on the Citrix ADC appliance. The appliance involves creating audit policies and specifying the NSLOG server or SYSLOG server information. You then install and configure the SYSLOG or the NSLOG server on the underlying FreeBSD OS of the Citrix ADC appliance or on a remote system.


SYSLOG is an industry standard for logging program messages, and various vendors provide support. The documentation does not include SYSLOG server configuration information.

The NSLOG server has its own configuration file (auditlog.conf). You can customize logging on the NSLOG server system by making extra modifications to the configuration file (auditlog.conf).


ICMP access to Syslog server is mandatory if syslog server is used as FQDN under Syslog Action in the network. If ICMP access is blocked in the environment, configure it as load balanced Syslog server and set the value of the healthMonitor parameter in the set service command to NO. For configuring ICMP, see Load balancing SYSLOG servers

Audit logging