Selective SSL logging

In a large deployment comprising thousands of virtual servers, all SSL-related information is logged. Earlier, filtering the client authentication and SSL handshake successes and failures for a few critical virtual servers was not easy. Perusing through the entire log to get this information was a time-consuming and tedious task because the infrastructure did not offer the control to filter the logs. Now, you can log SSL-related information for a specific virtual server or for a group of virtual servers in the ns.log. This information is especially helpful in debugging failures.

With the DEBUG setting, all SSL related information is logged in ns.log. However, when you configure an SSL log profile, only information related to client authentication and SSL handshake is logged. To log this information, perform the following steps:

  1. Set DEBUG on syslog parameters.
  2. Configure an SSL log profile. Enable logging of client authentication and SSL handshake failure/success and failures only. All four are logged when you attach the SSL log profile with the SSL profile. Only client authentication failure/success and failures only are logged when you attach the SSL log profile with the SSL action.
  3. Attach the SSL log profile to an SSL profile or to an SSL action.

See sample ns.log output for successful client authentication at the end of this page.

Set DEBUG level

Set the syslog log level to DEBUG. At the command prompt, type:

set audit syslogParams -logLevel DEBUG

When debug is set, SSL logs for both front end (virtual servers) and back end (services and service groups) are included. However, selective SSL logging offers control only over the front end.

SSL log profile

An SSL log profile provides control over logging the following events for a virtual server or a group of virtual servers:

  • Client authentication success and failures, or failures only.

  • SSL handshake success and failures, or failures only.

By default, all the parameters are disabled.

An SSL log profile can be set on an SSL profile, or on an SSL action. If set to an SSL profile, you can log both client authentication and SSL handshake success and failure information. If set to an SSL action, you can only log client authentication success and failure information because the handshake is complete before the policy is evaluated.

Client authentication and SSL handshake success and failures are logged even if you do not configure an SSL log profile. However, selective logging is possible only if an SSL log profile is used.

Note:

SSL log profile is supported in high availability and cluster setups.

Add an SSL log profile by using the CLI

At the command prompt, type:

add ssl logprofile <name> [-sslLogClAuth ( ENABLED | DISABLED )] [-ssllogClAuthFailures ( ENABLED | DISABLED )] [-sslLogHS ( ENABLED | DISABLED )] [-sslLogHSfailures ( ENABLED | DISABLED )]
<!--NeedCopy-->

Parameters:

Name:

Name for the SSL log profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the profile is created.

Name is a mandatory argument. Maximum Length: 127

sslLogClAuth:

Log all client authentication events. Includes both success and failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

ssllogClAuthFailures:

Log all client authentication failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

sslLogHS:

Log all SSL handshake related events. Includes both success and failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

sslLogHSfailures:

Log all SSL handshake related failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

Example:

> add ssl logprofile ssllog10 -sslLogClAuth ENABLED -sslLogHS ENABLED

 Done

sh ssllogprofile ssllog10

1)      Name: ssllog10

        SSL log ClientAuth [Success/Failures] : ENABLED

        SSL log ClientAuth [Failures] : DISABLED

        SSL log Handshake [Success/Failures] : ENABLED

        SSL log Handshake [Failures] : DISABLED

 Done
<!--NeedCopy-->

Add an SSL log profile by using the GUI

Navigate to System > Profiles > SSL Log Profile and add a profile.

Modify an SSL log profile by using the CLI

At the command prompt type:

set ssl logprofile <name> [-sslLogClAuth ( ENABLED | DISABLED )][-ssllogClAuthFailures ( ENABLED | DISABLED )] [-sslLogHS ( ENABLED | DISABLED )] [-sslLogHSfailures ( ENABLED | DISABLED )]
<!--NeedCopy-->

Example:

set ssllogprofile ssllog10 -ssllogClAuth en -ssllogClAuthFailures en -ssllogHS en -ssllogHSfailures en

Done

sh ssllogprofile ssllog10

    1)            Name: ssllog10

                    SSL log ClientAuth [Success/Failures] : ENABLED
                    SSL log ClientAuth [Failures] : ENABLED
                    SSL log Handshake [Success/Failures] : ENABLED
                    SSL log Handshake [Failures] : ENABLED
     Done
<!--NeedCopy-->

Modify an SSL log profile by using the GUI

  1. Navigate to System > Profiles > SSL Log Profile, select a profile, and click Edit.
  2. Make changes and click OK.

View all the SSL log profiles by using the CLI

At the command prompt, type:

sh ssl logprofile
<!--NeedCopy-->

Example:

sh ssl logprofile

    1)            Name: ssllogp1
                    SSL log ClientAuth [Success/Failures] : ENABLED
                    SSL log ClientAuth [Failures] : ENABLED
                    SSL log Handshake [Success/Failures] : DISABLED
                    SSL log Handshake [Failures] : ENABLED

    2)            Name: ssllogp2
                    SSL log ClientAuth [Success/Failures] : DISABLED
                    SSL log ClientAuth [Failures] : DISABLED
                    SSL log Handshake [Success/Failures] : DISABLED
                    SSL log Handshake [Failures] : DISABLED

    3)            Name: ssllogp3
                    SSL log ClientAuth [Success/Failures] : DISABLED
                    SSL log ClientAuth [Failures] : DISABLED
                    SSL log Handshake [Success/Failures] : DISABLED
                    SSL log Handshake [Failures] : DISABLED

    4)            Name: ssllog10
                    SSL log ClientAuth [Success/Failures] : ENABLED
                    SSL log ClientAuth [Failures] : ENABLED
                    SSL log Handshake [Success/Failures] : ENABLED
                    SSL log Handshake [Failures] : ENABLED
Done
<!--NeedCopy-->

View all the SSL log profiles by using the GUI

Navigate to System > Profiles > SSL Log Profile. All the profiles are listed.

Attach an SSL log profile to an SSL profile

You can attach (set) an SSL log profile on an SSL profile when you are creating an SSL profile, or later by editing the SSL profile. You can log both client authentication and handshake successes and failures.

Important:

The default SSL profile must be enabled before you can attach an SSL log profile. For more information about enabling the default SSL profile, see Enable the default profile.

Attach an SSL log profile on an SSL profile by using the CLI

At the command prompt, type:

set ssl profile <name> [-ssllogProfile <string>]
<!--NeedCopy-->

Example:

set ssl profile fron_1 -ssllogProfile ssllog10
<!--NeedCopy-->

Attach an SSL log profile to an SSL profile by using the GUI

  1. Navigate to System > Profiles > SSL Profile.
  2. Click Edit and in SSL Log Profile, specify a profile.

Attach an SSL log profile to an SSL action

You can set an SSL log profile only while creating an SSL action. You cannot modify an SSL action to set the log profile. Associate the action to a policy. You can only log client authentication successes and failures.

Attach an SSL log profile to an SSL action by using the CLI

At the command prompt, type:

add ssl action <name> -clientAuth ( DOCLIENTAUTH | NOCLIENTAUTH ) -ssllogProfile <string>
<!--NeedCopy-->

Example:

> add ssl action act1 -clientAuth DoCLIENTAUTH -ssllogProfile ssllog10

Done

> sh ssl action act1

    1)            Name: act1
                    Type: Client Authentication (DOCLIENTAUTH)
                    Hits: 0
                    Undef Hits: 0
                    Action Reference Count: 0
                    SSLlogProfile: ssllog10
Done
<!--NeedCopy-->

Attach an SSL log profile to an SSL action by using the GUI

  1. Navigate to Traffic Management > SSL > Policies and click SSL Actions.
  2. Click Add.
  3. In Client Authentication, select ENABLED.
  4. In SSL Log Profile, select a profile from the list, or click “+” to create a profile.
  5. Click Create.

Sample output from the log file

The following is a sample log output from ns.log for successful client authentication.

Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 158 0 :  SPCBId 671 - ClientIP 10.102.1.98 - ClientPort 49451 - VserverServiceIP 10.102.57.82 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New - CLIENT_AUTHENTICATED -SerialNumber "2A" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Sep 22 09:15:20 2008 GMT" - ValidTo "Feb  8 09:15:20 2036 GMT" - HandshakeTime 10 ms
Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 159 0 :  SPCBId 671 - IssuerName " C=IN,ST=KAR,O=Citrix R&D Pvt Ltd,CN=Citrix"
Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 160 0 :  SPCBId 671 - SubjectName " C=IN,ST=KAR,O=Citrix Pvt Ltd,OU=A,CN=B"
Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 161 0 :  Backend SPCBId 674 - ServerIP 10.102.57.85 - ServerPort 443 - ProtocolVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session Reuse - SERVER_AUTHENTICATED -SerialNumber "3E" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Sep 24 06:40:37 2008 GMT" - ValidTo "Feb 10 06:40:37 2036 GMT" - HandshakeTime 1 ms
Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 162 0 :  SPCBId 674 - IssuerName " C=IN,ST=KAR,O=Citrix Pvt Ltd"
Jan 24 16:24:25 <local0.debug> 10.102.57.80 01/24/2019:10:54:25 GMT  0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 163 0 :  SPCBId 674 - SubjectName " C=IN,ST=P,L=Q,O=R"
<!--NeedCopy-->
Selective SSL logging