Auditing policies
Auditing policies determine the messages generated and logged during a Web App Firewall session. The messages are logged in SYSLOG format to the local NSLOG server or to an external logging server. Different types of messages are logged based on the level of logging selected.
To create an auditing policy, you must first create either an NSLOG server or a SYSLOG server. And then you create the policy and specify log type and the server to which logs are sent.
To create an auditing server by using the command line interface
You can create two different types of auditing server: an NSLOG server or a SYSLOG server. The command names are different, but the parameters for the commands are the same.
To create an auditing server, at the command prompt, type the following commands:
add audit syslogAction <name> <serverIP> [-serverPort <port>] -logLevel <logLevel> ... [-dateFormat ( MMDDYYYY | DDMMYYYY )] [-logFacility <logFacility>] [-tcp ( NONE | ALL )] [-acl ( ENABLED | DISABLED )] [-timeZone ( GMT_TIME | LOCAL_TIME )] [-userDefinedAuditlog ( YES | NO )] [-appflowExport ( ENABLED | DISABLED )]
save ns config
Example
The following example creates a syslog server named syslog1 at IP 10.124.67.91, with log levels of emergency, critical, and warning, log facility set to LOCAL1, that logs all TCP connections:
add audit syslogAction syslog1 10.124.67.91 -logLevel emergency critical warning -logFacility
LOCAL1 -tcp ALL
save ns config
<!--NeedCopy-->
To modify or remove an auditing server by using the command line interface
- To modify an auditing server, type the set audit
<type>
command, the name of the auditing server, and the parameters to be changed, with their new values. - To remove an auditing server, type the rm audit
<type>
command and the name of the auditing server.
Example
The following example modifies the syslog server named syslog1 to add errors and alerts to the log level:
set audit syslogAction syslog1 10.124.67.91 -logLevel emergency critical warning alert error
-logFacility LOCAL1 -tcp ALL
save ns config
<!--NeedCopy-->
To create or configure an auditing server by using the GUI
- Navigate to Security > NetScaler Web App Firewall > Policies > Auditing > Nslog.
- In the Nslog Auditing page, click Servers tab.
- Do one of the following:
- To add a new auditing server, click Add.
- To modify an existing auditing server, select the server, and then click Edit.
- In the Create Auditing Server page, set the following parameters:
- Name
- Server Type
- IP Address
- Port
- Log Levels
- Log Facility
- Date Format
- Time Zone
- TCP Logging
- ACL Logging
- User Configurable Log Messages
- AppFlow Logging
- Large Scale NAT Logging
- ALG messages logging
- Subscriber logging
- SSL Interception
- URL Filtering
- Content Inspection Logging
- Click Create and Close.
To create an auditing policy by using the command line interface
You can create an NSLOG policy or a SYSLOG policy. The type of policy must match the type of server. The command names for the two types of policy are different, but the parameters for the commands are the same.
At the command prompt, type the following commands:
add audit syslogPolicy <name> <-rule > <action>
save ns config
Example
The following example creates a policy named syslogP1 that logs Web App Firewall traffic to a syslog server named syslog1.
add audit syslogPolicy syslogP1 rule "ns_true" action syslog1
save ns config
To configure an auditing policy by using the command line interface
At the command prompt, type the following commands:
set audit syslogPolicy <name> [-rule <expression>] [-action <string>]
save ns config
Example
The following example modifies the policy named syslogP1 to log Web App Firewall traffic to a syslog server named syslog2.
set audit syslogPolicy syslogP1 rule "ns_true" action syslog2
save ns config
To configure an auditing policy by using the GUI
- Navigate to Security > NetScaler Web App Firewall > Policies.
- In the details pane, click Audit Nslog Policy.
- In the Nslog Auditing page, click Policies tab and do one of the following:
- To add a new policy, click Add.
- To modify an existing policy, select the policy, and then click Edit.
- In the Create Auditing Nslog Policy page, set the following parameters:
- Name
- Auditing Type
- Expression Type
- Server
- Click Create.
In this article
- To create an auditing server by using the command line interface
- To modify or remove an auditing server by using the command line interface
- To create or configure an auditing server by using the GUI
- To create an auditing policy by using the command line interface
- To configure an auditing policy by using the command line interface
- To configure an auditing policy by using the GUI