ADC

Export audit logs and events directly from NetScaler to Splunk

Audit logging enables you to log the NetScaler states and status information collected by various modules in NetScaler. By reviewing the logs, you can troubleshoot problems or errors and fix them.

You can now export audit logs and events from NetScaler to industry standard log aggregator platforms such as Splunk and get meaningful insights.

There are multiple ways to export audit logs from NetScaler to Splunk. You can either configure Splunk as a syslog server or as an HTTP server. This topic provides information on configuring Splunk as an HTTP server using the Splunk HTTP event collector. Using the HTTP event collector you can send audit logs over HTTP (or HTTPS) directly to the Splunk platform from your NetScaler.

Configure exporting audit logs from NetScaler to Splunk

To configure the export of audit logs you must perform the following steps:

  1. Configure the HTTP event collector on Splunk.
  2. Create a collector service and time series analytics profile on NetScaler.

Configure HTTP event collector on Splunk

You can forward audit logs to Splunk by configuring an HTTP event collector. Configuring the HTTP event collector involves creating an authentication token and associating an event index with the token where events are sent, and setting the HTTP port number.

See the Splunk documentation for information on how to configure the HTTP event collector.

Once you have configured the HTTP event collector, copy the authentication token and save it for reference. You need to specify this token while configuring the analytics profile on NetScaler.

Configure time series analytics profile on NetScaler

Do the following to export NetScaler audit logs to Splunk.

  1. Create a collector service for Splunk.

    add service <service-name> <splunk-server-ip-address> <protocol> <port>
    

    Example:

    add service splunk_service 10.102.34.155 HTTP 8088
    

    In this configuration:

    • ip-address: Specify the Splunk server IP address.
    • service-name: Specify a name for the collector service.
    • protocol: Specify the protocol as HTTP or HTTPS
    • port: Specify the port number.
  2. Create a time series analytics profile.

        add analytics profile <profile-name> -type timeseries -auditlogs enabled -collectors <collector-name> -analyticsAuthToken <"auth-token">
        -analyticsEndpointContentType <"application/json"> -analyticsEndpointMetadata <"meta-data-for-endpoint:"> -analyticsEndpointUrl <"endpoint-url">
    

    Example:

        add analytics profile audit_profile -type timeseries -auditlogs enabled -collectors splunk_service -analyticsAuthToken "Splunk 1234-5678-12345" -analyticsEndpointContentType "application/json" -analyticsEndpointMetadata "{\"event\":[" -analyticsEndpointUrl "/services/collector/event"
    

    In this configuration:

    • auditlogs: Specify the value as enabled to enable audit logging.
    • collectors: Specify the collector service created for Splunk. For example, “splunk_service” is the collector service created in step 1.
    • analyticsAuthToken: Specify the authentication token to be included in the authorization header while sending logs to Splunk. This token is the authentication token created on the Splunk server while configuring the HTTP event collector. The authentication token must be in the format “Splunk <token-copied-from-splunk>”. For example, “Splunk 3e52aa4b-1db7-45b2-9af9-173eedc8e1bc”.

    • analyticsEndpointContentType: Specify the format of the logs.
    • analyticsEndpointMetadata: Specify the meta data that Splunk expects at the start of the data, which is "{\"event\":[".

    • analyticsEndpointUrl: Specify the URL to which you have configured Splunk HEC to get requests to. For example, “/services/collector/event”.

    Note:

    You can modify the time series analytics profile parameters using the set analytics profile command.

  3. Verify the analytics profile configuration using the show analytics profile command.

    # show analytics profile audit_profile
    
    1)    Name: audit_profile
          Collector: splunk
          Profile-type: timeseries
                Output Mode: avro
                Metrics: DISABLED
                  Schema File: schema.json
                  Metrics Export Frequency: 30
                Events: DISABLED
                Auditlog: ENABLED
                Serve mode: Push
           Authentication Token: <auth-token>
           Endpoint URL: /services/collector/event
           Endpoint Content-type: application/json
           Endpoint Metadata: {"event":[
           Reference Count: 0
    

Once the configuration is successful, the audit logs are sent as HTTP payloads to Splunk and you can view it on the Splunk application user interface.

Configure exporting events from NetScaler to Splunk

To configure the export of events from NetScaler to Splunk, you must perform the following steps:

  1. Configure the HTTP event collector on Splunk following the steps in Configure HTTP event collector on Splunk.

  2. Create a collector service on NetScaler by using the following command.

    add service <collector> <splunk-server-ip-address> <protocol> <port>
    

    Example:

    add service splunk_service 10.102.34.155 HTTP 8088
    

    In this configuration:

    • ip-address: Specify the Splunk server IP address.
    • collector-name: Specify the collector.
    • protocol: Specify the protocol as HTTP or HTTPS.
    • port: Specify the port number.
  3. Create a time series analytics profile on NetScaler using the add analytics profile command. You must specify the -events enabled option while creating the analytics profile to enable the export events.

    Example:

    add analytics profile event_profile -type timeseries -events enabled -collectors splunk -analyticsAuthToken "Splunk 1234-5678-12345" -analyticsEndpointContentType "application/json" -analyticsEndpointMetadata "{\"event\":[" -analyticsEndpointUrl "/services/collector/event"
    
  4. Verify the analytics profile configuration using the show analytics profile command.

    # show analytics profile event_profile
    
    1)    Name: event_profile
          Collector: splunk
          Profile-type: timeseries
                Output Mode: avro
                Metrics: DISABLED
                  Schema File: schema.json
                  Metrics Export Frequency: 30
                Events: ENABLED
                Auditlog: DISABLED
                Serve mode: Push
           Authentication Token: <auth-token>
           Endpoint URL: /services/collector/event
           Endpoint Content-type: application/json
           Endpoint Metadata: {"event":[
           Reference Count: 0
    
Export audit logs and events directly from NetScaler to Splunk