-
Getting Started with NetScaler
-
Deploy a NetScaler VPX instance
-
Optimize NetScaler VPX performance on VMware ESX, Linux KVM, and Citrix Hypervisors
-
Apply NetScaler VPX configurations at the first boot of the NetScaler appliance in cloud
-
Configure simultaneous multithreading for NetScaler VPX on public clouds
-
Install a NetScaler VPX instance on Microsoft Hyper-V servers
-
Install a NetScaler VPX instance on Linux-KVM platform
-
Prerequisites for installing NetScaler VPX virtual appliances on Linux-KVM platform
-
Provisioning the NetScaler virtual appliance by using OpenStack
-
Provisioning the NetScaler virtual appliance by using the Virtual Machine Manager
-
Configuring NetScaler virtual appliances to use SR-IOV network interface
-
Configure a NetScaler VPX on KVM hypervisor to use Intel QAT for SSL acceleration in SR-IOV mode
-
Configuring NetScaler virtual appliances to use PCI Passthrough network interface
-
Provisioning the NetScaler virtual appliance by using the virsh Program
-
Provisioning the NetScaler virtual appliance with SR-IOV on OpenStack
-
Configuring a NetScaler VPX instance on KVM to use OVS DPDK-Based host interfaces
-
-
Deploy a NetScaler VPX instance on AWS
-
Deploy a VPX high-availability pair with elastic IP addresses across different AWS zones
-
Deploy a VPX high-availability pair with private IP addresses across different AWS zones
-
Protect AWS API Gateway using the NetScaler Web Application Firewall
-
Configure a NetScaler VPX instance to use SR-IOV network interface
-
Configure a NetScaler VPX instance to use Enhanced Networking with AWS ENA
-
Deploy a NetScaler VPX instance on Microsoft Azure
-
Network architecture for NetScaler VPX instances on Microsoft Azure
-
Configure multiple IP addresses for a NetScaler VPX standalone instance
-
Configure a high-availability setup with multiple IP addresses and NICs
-
Configure a high-availability setup with multiple IP addresses and NICs by using PowerShell commands
-
Deploy a NetScaler high-availability pair on Azure with ALB in the floating IP-disabled mode
-
Configure a NetScaler VPX instance to use Azure accelerated networking
-
Configure HA-INC nodes by using the NetScaler high availability template with Azure ILB
-
Configure a high-availability setup with Azure external and internal load balancers simultaneously
-
Configure a NetScaler VPX standalone instance on Azure VMware solution
-
Configure a NetScaler VPX high availability setup on Azure VMware solution
-
Configure address pools (IIP) for a NetScaler Gateway appliance
-
Deploy a NetScaler VPX instance on Google Cloud Platform
-
Deploy a VPX high-availability pair on Google Cloud Platform
-
Deploy a VPX high-availability pair with external static IP address on Google Cloud Platform
-
Deploy a single NIC VPX high-availability pair with private IP address on Google Cloud Platform
-
Deploy a VPX high-availability pair with private IP addresses on Google Cloud Platform
-
Install a NetScaler VPX instance on Google Cloud VMware Engine
-
-
Solutions for Telecom Service Providers
-
Load Balance Control-Plane Traffic that is based on Diameter, SIP, and SMPP Protocols
-
Provide Subscriber Load Distribution Using GSLB Across Core-Networks of a Telecom Service Provider
-
Authentication, authorization, and auditing application traffic
-
Basic components of authentication, authorization, and auditing configuration
-
Web Application Firewall protection for VPN virtual servers and authentication virtual servers
-
On-premises NetScaler Gateway as an identity provider to Citrix Cloud
-
Authentication, authorization, and auditing configuration for commonly used protocols
-
Troubleshoot authentication and authorization related issues
-
-
-
-
-
-
Configure DNS resource records
-
Configure NetScaler as a non-validating security aware stub-resolver
-
Jumbo frames support for DNS to handle responses of large sizes
-
Caching of EDNS0 client subnet data when the NetScaler appliance is in proxy mode
-
Use case - configure the automatic DNSSEC key management feature
-
Use Case - configure the automatic DNSSEC key management on GSLB deployment
-
-
-
Persistence and persistent connections
-
Advanced load balancing settings
-
Gradually stepping up the load on a new service with virtual server–level slow start
-
Protect applications on protected servers against traffic surges
-
Retrieve location details from user IP address using geolocation database
-
Use source IP address of the client when connecting to the server
-
Use client source IP address for backend communication in a v4-v6 load balancing configuration
-
Set a limit on number of requests per connection to the server
-
Configure automatic state transition based on percentage health of bound services
-
-
Use case 2: Configure rule based persistence based on a name-value pair in a TCP byte stream
-
Use case 3: Configure load balancing in direct server return mode
-
Use case 6: Configure load balancing in DSR mode for IPv6 networks by using the TOS field
-
Use case 7: Configure load balancing in DSR mode by using IP Over IP
-
Use case 10: Load balancing of intrusion detection system servers
-
Use case 11: Isolating network traffic using listen policies
-
Use case 12: Configure Citrix Virtual Desktops for load balancing
-
Use case 13: Configure Citrix Virtual Apps and Desktops for load balancing
-
Use case 14: ShareFile wizard for load balancing Citrix ShareFile
-
Use case 15: Configure layer 4 load balancing on the NetScaler appliance
-
-
-
Export transaction logs directly from NetScaler to Splunk
-
Export audit logs and events directly from NetScaler to Splunk
-
-
-
-
Authentication and authorization for System Users
-
-
-
Configuring a CloudBridge Connector Tunnel between two Datacenters
-
Configuring CloudBridge Connector between Datacenter and AWS Cloud
-
Configuring a CloudBridge Connector Tunnel Between a Datacenter and Azure Cloud
-
Configuring CloudBridge Connector Tunnel between Datacenter and SoftLayer Enterprise Cloud
-
Configuring a CloudBridge Connector Tunnel Between a NetScaler Appliance and Cisco IOS Device
-
CloudBridge Connector Tunnel Diagnostics and Troubleshooting
This content has been machine translated dynamically.
Dieser Inhalt ist eine maschinelle Übersetzung, die dynamisch erstellt wurde. (Haftungsausschluss)
Cet article a été traduit automatiquement de manière dynamique. (Clause de non responsabilité)
Este artículo lo ha traducido una máquina de forma dinámica. (Aviso legal)
此内容已经过机器动态翻译。 放弃
このコンテンツは動的に機械翻訳されています。免責事項
이 콘텐츠는 동적으로 기계 번역되었습니다. 책임 부인
Este texto foi traduzido automaticamente. (Aviso legal)
Questo contenuto è stato tradotto dinamicamente con traduzione automatica.(Esclusione di responsabilità))
This article has been machine translated.
Dieser Artikel wurde maschinell übersetzt. (Haftungsausschluss)
Ce article a été traduit automatiquement. (Clause de non responsabilité)
Este artículo ha sido traducido automáticamente. (Aviso legal)
この記事は機械翻訳されています.免責事項
이 기사는 기계 번역되었습니다.책임 부인
Este artigo foi traduzido automaticamente.(Aviso legal)
这篇文章已经过机器翻译.放弃
Questo articolo è stato tradotto automaticamente.(Esclusione di responsabilità))
Translation failed!
Export transaction logs directly from NetScaler to Splunk
You can now export transaction logs from NetScaler to industry-standard log aggregator platforms such as Splunk. The transaction log is the record of application traffic flow events on the NetScaler such as HTTP requests and responses, connection start and end. For more information on transaction logs, see AppFlow.
You can export transaction logs in JSON format for different insights such as Web Insight, security, gateway, HDX insights. To export transaction logs to Splunk, you must configure Splunk as an HTTP server and use the HTTP event collector to send transaction logs over HTTP (or HTTPS) directly to the Splunk platform from your NetScaler. Using the visualization tools at Splunk, you can get meaningful insights about the exported data.
Note:
The IP addresses that are exported as part of the transaction logs appear in the decimal format instead of the standard format. For example, if your NetScaler IP address is 10.102.154.153, the same in the transaction logs on Splunk is displayed as 174496409. You can use the inbuilt expressions available on Splunk to convert the IP address from decimal format to standard format.
Export transaction logs from NetScaler to Splunk configured as an HTTP server
To configure the export of transaction logs you must perform the following steps:
- Configure an HTTP event collector on Splunk.
- Create a collector service and an analytics profile on NetScaler.
Configure an HTTP event collector on Splunk
You can forward transaction logs to Splunk by configuring an HTTP event collector. Configuring the HTTP event collector involves creating an authentication token and associating an event index with the token where events are sent, and setting the HTTP port number. For information on how to configure the HTTP event collector, see the Splunk documentation.
Once you have configured the HTTP event collector, copy the authentication token and save it for reference. You need to specify this token while configuring the analytics profile on NetScaler.
Configure analytics profile on NetScaler
Do the following to export NetScaler transaction logs to Splunk.
-
Create a collector service for Splunk.
add service <collector> <splunk-server-ip-address> <protocol> <port>
Example:
add service splunk_service 10.102.34.155 HTTP 8088
In this configuration:
- ip-address: Splunk server IP address.
- collector-name: Name of the collector.
- protocol: Specify the protocol as HTTP or SSL.
- port: Port number.
-
Create an analytics profile.
add analytics profile `profile-name` -type <insight> -collectors `collector-name` -analyticsAuthToken `<auth-scheme> <authorization-parameters>` -analyticsEndpointContentType `application/json` -analyticsEndpointUrl `endpoint-url` -httpCustomHeaders <space-separated-header-names>
Example:
add analytics profile transaction-log-profile -type webinsight -collectors splunk_collector -analyticsAuthToken "Splunk 1234-5678-12345" -analyticsEndpointContentType "application/json" -analyticsEndpointUrl "/services/collector/event" -httpCustomHeaders “X-Client-IP” “X-forwarded-for” “custom-field”
Note:
The
-allHttpHeaders
option is supported for Splunk transaction log export in NetScaler 14.1-25.x and later.add analytics profile <profile-name> -type webinsight -allHttpHeaders
set analytics profile <profile-name> -type webinsight -allHttpHeaders
In this configuration:
- insight: Types of insights that you can export The following options are available:
botinsight
CIinsight
Gatewayinsight
hdxinsight
lsninsight
securityinsight
tcpinsight
udpinsight
videoinsight
webinsight
-
-analyticsAuthToke auth-scheme authorization-parameters: Specify the authentication token to be included in the authorization header with the auth-scheme “Splunk” while sending logs to Splunk. This token is the authentication token created on the Splunk server while configuring the HTTP event collector.
-
analyticsEndpointContentType: Specifies the Content-Type header. If no value is configured, then the Content-Type header is sent as
application/json
. If a value is configured, then the configured value is sent. -
analyticsEndpointUrl: The path to HEC on Splunk (/services/collector/event or /services/collector).
NOTE:
You can modify the analytics profile parameters using the
set analytics profile
command. -
dataFormatFile: The file that defines the data to be exported in the transaction log and the required format. Each endpoint expects the JSON payload to be encoded in a specific format. For Splunk, this format is specified in the
splunk_format.txt
file located in/var/analytics_conf
directory. You can refer to this file to create a custom data format file for your use case. If no custom format is specified, thesplunk_format.txt
file is used by default. -
-httpCustomHeaders
: The-httpCustomHeaders
parameter allows you to include customer headers with transaction records while exporting transaction logs from NetScaler to Splunk.NOTE:
-
A maximum of 8 custom headers can be configured.
-
Headers containing sensitive information can be configured at the discretion of the administrator.
-
- insight: Types of insights that you can export The following options are available:
-
Verify the analytics profile configuration using the show analytics profile command.
> sh analytics profile ns_analytics_default_http_profile 1) Name: ns_analytics_default_http_profile Collector: splunk Profile-type: webinsight Page Tracking: DISABLED Client Side Measurements: DISABLED URL Logging: ENABLED Host Header Logging: ENABLED Method Logging: ENABLED Cookie Header Logging: DISABLED Referer Header Logging: DISABLED User Agent Logging: DISABLED Content Type Logging: DISABLED Authorization Header Logging: DISABLED Via Header Logging: DISABLED Location Header Logging: DISABLED URL Category Logging: DISABLED Log All HTTP Headers: DISABLED X-Forwarded-For Header Logging: DISABLED Set-Cookie Header Logging: DISABLED Set-Cookie2 Header Logging: DISABLED Domain Name Logging: DISABLED URL-Query Logging: DISABLED Integrated Cache Logging: DISABLED gRPC Status Logging: DISABLED API Spec Info Export Logging: DISABLED Authentication Token: Endpoint URL: /services/collector/event Endpoint Content-type: text/json Reference Count: 1 Managementlog: NONE
-
Bind the analytics profile to the virtual server.
bind lb vserver <vserver-name> -analyticsProfile transaction-log-profile
Example:
bind lb vserver sample-virtualserver -analyticsProfile transaction-log-profile
After the configuration is successful, based on traffic, transactions will be logged and exported to HEC on Splunk.
Field-based filtering of data records
By default, NetScaler exports hundreds of fields in the transaction log even when the endpoints do not require all of the exported data. Also, each endpoint expects the JSON payload to be encoded in a specific format such as the start and end of a data record, the delimiter between data records, and buffer start and end.
Splunk expects the JSON payload coming from NetScaler to be encoded in the following format:
- Buffer start and end: No value required for
BUFFER-START
andBUFFER-END
. -
Data record start and end: The data record must start with
{"event":{
and end with}}
. All the fields that get exported must be betweenDATA-START
andDATA-END
.The data records must start with the following:
RECORD-START {"event":{ DATA_START
The data records must end with the following:
DATA-END }} RECORD-END
- Delimiter between data records: No delimiter required.
By default, splunk_format.txt
is available at var/analytics_conf
folder that contains the JSON payload format that Splunk expects and also contains a few default fields for which the data gets exported.
The following is a sample data format file for Splunk:
BUFFER-START
RECORD-START
{"event":{
DATA-START
153 observationPointId
547 nsPartitionId
154 exportingProcessId
159 transactionId
801 httpReqUrl
685 httpReqMethod
683 httpReqHost
472 svrDstIpv4Address
579 srvSrcPort
580 srvDstPort
13 backendSvrIpv6Address
473 cltIpv4Address
474 cltDstIpv4Address
577 cltSrcPort
578 cltDstPort
14 transCltIpv6Address
15 transCltDstIpv6Address
DATA-END
}}
RECORD-END
RECORD-DELIMITER
RECORD-DELIMITER-END
BUFFER-END
The JSON_fields.txt
file under var/analytics_conf
is a reference master file that contains the complete list of fields along with their identification numbers. The fields in the master file are categorized based on the insights. For example, if you want to know the fields associated with HDX insight, you can look at the HDX insights category of JSON_fields.txt
file.
You can create a customized data format file based on your requirement by referring to splunk_format.txt
. For example, you can create my_splunk_format.txt
. If your requirement is to export HDX insights, you can look at the HDX insights category in JSON_fields.txt
file and add the required fields in your my_splunk_format.txt
file. Similarly, you can delete any fields associated with the data that you do not want to export.
Note:
Do not update the default
splunk_format.txt
file; instead, use it as a reference. If you update the defaultsplunk_format.txt
, then the contents of the file is overwritten upon upgrade.
After customizing the data format file, run the following command to update the analytics profile:
update analytics profile <profile-name> -dataFormatFile <data-format-file-name>
Example:
update analytics profile ns_analytics_default_http_profile -dataFormatFile my_splunk_format.txt
You can also specify the value of the data format file using the GUI. Navigate to System > AppFlow > Analytics Profiles and click Add. On the Create Analytics Profile page, if you select one of the following options for Type, then the Data Format File field appears where you can specify the file name:
- GLOBAL
- WEB INSIGHT
- TCP INSIGHT
- SECURITY INSIGHT
- VIDEO INSIGHT
- HDX INSIGHT
- GATEWAY INSIGHT
- LSN INSIGHT
- BOT INSIGHT
- TIME SERIES
Sample outputs
This section contains sample outputs for different transaction logs.
HTTP transaction log sample output
The following is a sample output for the HTTP transaction log.
{
appName: VS1
clientMss: 1460
clntFastRetxCount: 0
clntTcpJitter: 0
cintTcpPacketsRetransmited: 0
clntTcpRtoCount: 0
clntTcpZeroWindowCount: 0
cltDstIpv4Address: 174496411
cltIpv4Address: 174496407
connEndTimestamp: 0
connStartTimestamp: 7329468222993076980
exportingProcessId: 0
httpReqHost: 10.102.154.155
httpReqMethod: GET
httpReqUrl: /big.html
httpRspLen: 114380
httpRspStatus: 200
mainPageCoreId: 0
mainPageId: 0
nsPartitionId: 0
observationPointId: 174496409
originRspLen: 0
srvrIcpPacketsRetransmited: 0
srvrTcpZeroWindowCount: 0
svrDstIpv4Address: 174496415
svrIpv4Address: 174496408
tepSrvrConnRstCode: 0
transClntRTT: 0
transCltDstPort: 20480
transCltFlowEndUsecRx: 7329468222993084980
transCltFlowEndUsecTx: 7329468222993084980
transCltFlowStartUsecRx: 7329468222993076980
transCltFlowStartUsecTx: 7329468222993077984
transCltSrcPort: 60315
transCltTotRx0ctCnt: 1766
transCltTotTx0ctCnt: 117580
transSrvDstPort: 36895
transSrvSrcPort: 15213
transSrvrRTT: 0
transSvrFlowEndUsecRx: 7329468222993084980
transSvrFlowEndUsecTx: 7329468222993084980
transSvrFlowStartUsecRx: 7329468222993077984
transSvrFlowStartUsecTx: 0
transSvrTotRx0ctCnt: 117580
transSvrTotTx0ctCnt: 1766
transactionId: 4890
}
TCP transaction log sample output
The following is a sample output for TCP transaction log.
{
appName: vs1
clientConnEndTimestamp: 7333165210582386064
clientConnStartTimestamp: 7333165210582386054
clientMss: 1460
clntFastRetxCount: 0
clntTcpJitter: 0
clntTcpPacketsRetransmited: 0
clntTcpRtoCount: 0
clntTcpZeroWindowCount: 0
cltDstIpv4Address: 174496411
cltDstPort: 20480
cltIpv4Address: 174496407
cltSrcPort: 42939
connectionChainHopCount: 0
exportingProcessId: 0
nsPartitionId: 0
observationPointId: 174496409
serverConnEndTimestamp: 7333165201992708470
serverConnStartTimestamp: 7333165201992708459
srvDstPort: 36895
srvSrcPort: 51973
srvrTcpPacketsRetransmited: 0
srvrTcpZeroWindowCount: 0
svrDstIpv4Address: 174496415
svrIpv4Address: 174496408
tcpClntConnRstCode: 0
tcpSrvrConnRstCode: 0
transClntRTT: 0
transCltTotRxOctCnt: 208
transCltTotTxOctCnt: 331
transSrvrRTT: 0
transSvrTotRxOctCnt: 331
transSvrTotTxOctCnt: 208
transactionId: 330
vlanNumber: 1
}
SSL transaction log sample output
The following is a sample output for SSL transaction log.
{
appName: sslvs
clientConnEndTimestamp: 0
clientConnStartTimestamp: 7333182669624439854
clientMss: 1460
clntFastRetxCount: 0
clntTcpJitter: 0
clntTcpPacketsRetransmited: 0
clntTcpRtoCount: 0
clntTcpZeroWindowCount: 0
cltDstIpv4Address: 174496411
cltDstPort: 47873
cltIpv4Address: 174496407
cltSrcPort: 17499
connectionChainHopCount: 0
exportingProcessId: 0
httpContentType: text/html
httpReqHost: 10.102.154.155
httpReqMethod: GET
httpReqUrl: /index.html
httpReqUserAgent: curl/7.69.1
httpRspLen: 291
httpRspStatus: 200
nsPartitionId: 0
observationPointId: 174496409
originRspLen: 0
serverConnEndTimestamp: 0
serverConnStartTimestamp: 7333182665330184556
srvDstPort: 36895
srvSrcPort: 34802
srvrTcpPacketsRetransmited: 0
srvrTcpZeroWindowCount: 0
sslCipherValueBE: 0
sslCipherValueFE: 50331701
sslClientCertSizeBE: 0
sslClientCertSizeFE: 0
sslClntCertSigHashBE: 0
sslClntCertSigHashFE: 0
sslFLagsBE: 0
sslFLagsFE: 1096
sslServerCertSizeBE: 0
sslServerCertSizeFE: 4096
sslSessionIDBE: 0
sslSessionIDFE: 2433458443
sslSigHashAlgBE: 0
sslSigHashAlgFE: 0
sslSrvrCertSigHashBE: 0
sslSrvrCertSigHashFE: 668
svrDstIpv4Address: 174496415
svrIpv4Address: 174496408
tcpClntConnRstCode: 0
tcpSrvrConnRstCode: 0
transClntRTT: 0
transCltFlowEndUsecRx: 7333182669624447854
transCltFlowEndUsecTx: 7333182669624446854
transCltFlowStartUsecRx: 7333182669624439854
transCltFlowStartUsecTx: 7333182669624439854
transCltTotRxOctCnt: 1501
transCltTotTxOctCnt: 2223
transSrvrRTT: 0
transSvrFlowEndUsecRx: 7333182669624446854
transSvrFlowEndUsecTx: 7333182669624446854
transSvrFlowStartUsecRx: 7333182669624446854
transSvrFlowStartUsecTx: 0
transSvrTotRxOctCnt: 331
transSvrTotTxOctCnt: 168
transactionId: 2640
vlanNumber: 1
}
Web Insight transaction log sample output
The following is a sample output for Web Insight transaction log.
{
appName: vs1
clientConnEndTimestamp: 0
clientConnStartTimestamp: 7333336201820249485
clientMss: 1460
clntFastRetxCount: 0
clntTcpJitter: 0
clntTcpPacketsRetransmited: 0
clntTcpRtoCount: 0
clntTcpZeroWindowCount: 0
cltDstIpv4Address: 174496411
cltDstPort: 20480
cltIpv4Address: 174758625
cltSrcPort: 46824
connectionChainHopCount: 0
exportingProcessId: 0
httpContentType: text/html
httpReqHost: 10.102.154.155
httpReqMethod: GET
httpReqUrl: /
httpRspLen: 291
httpRspStatus: 200
nsPartitionId: 0
observationPointId: 174496409
originRspLen: 0
serverConnEndTimestamp: 0
serverConnStartTimestamp: 7333336201820250487
srvDstPort: 36895
srvSrcPort: 6465
srvrTcpPacketsRetransmited: 0
srvrTcpZeroWindowCount: 0
svrDstIpv4Address: 174496415
svrIpv4Address: 174496408
tcpClntConnRstCode: 0
tcpSrvrConnRstCode: 0
transClntRTT: 0
transCltFlowEndUsecRx: 7333336201820251488
transCltFlowEndUsecTx: 7333336201820251488
transCltFlowStartUsecRx: 7333336201820249485
transCltFlowStartUsecTx: 7333336201820250487
transCltTotRxOctCnt: 190
transCltTotTxOctCnt: 371
transSrvrRTT: 0
transSvrFlowEndUsecRx: 7333336201820251488
transSvrFlowEndUsecTx: 7333336201820250487
transSvrFlowStartUsecRx: 7333336201820250487
transSvrFlowStartUsecTx: 7333336201820250487
transSvrTotRxOctCnt: 371
transSvrTotTxOctCnt: 202
transactionId: 11218
vlanNumber: 1
}
Sample dashboards for transaction logs
The following dashboards available on Splunk provide the data related to transaction logs:
- NetScaler HTTP Insight Dashboard
- NetScaler SSL Insight Dashboard
- NetScaler TCP Insight Dashboard
For more information, see Sample dashboards on Splunk.
Share
Share
This Preview product documentation is Cloud Software Group Confidential.
You agree to hold this documentation confidential pursuant to the terms of your Cloud Software Group Beta/Tech Preview Agreement.
The development, release and timing of any features or functionality described in the Preview documentation remains at our sole discretion and are subject to change without notice or consultation.
The documentation is for informational purposes only and is not a commitment, promise or legal obligation to deliver any material, code or functionality and should not be relied upon in making Cloud Software Group product purchase decisions.
If you do not agree, select I DO NOT AGREE to exit.