ADC

Export audit logs to HEC endpoints

December 2, 2025

Contributed by:

Audit logs enable you to log the NetScaler states and status information collected by various modules in NetScaler. By reviewing the logs, you can troubleshoot problems or errors and fix them. You can export audit logs and events from NetScaler to HTTP Event Collector (HEC) endpoints.

For information related to export of audit logs and events to Splunk, see Export audit logs and events directly from NetScaler to Splunk.

Configure export of audit logs from NetScaler to HEC endpoint

Create a schema file by running the Python script auditlog_schema_generator_for_hec_export.py from shell. Follow the instructions shown on the prompt.

The support for creating a schema file is available from NetScaler release 14.1 build 60.x onwards. This schema file helps you configure the required fields and desired keys in the audit logs exported in JSON format for the HEC endpoint.
```
python /var/analytics_conf/auditlog_schema_generator_for_hec_export.py

```
Create a syslog action for the HEC endpoint.
```
add audit syslogAction <action_name> <server-ip> -serverPort <server_port> -transport HTTP -loglevel <loglevel> -httpauthToken "<auth-token>" -httpendpointUrl "<endpoint-url>  -httpSchemaFile <schema-file-name>"

```
Example:
```
add audit syslogAction sys_act 10.106.194.128 -serverPort 80 -logLevel ALL -transport HTTP -httpAuthToken "yPddOJH2WQiazU9lhsJSXrpyJvUWmBtZ"  -httpEndpointUrl "/ctxlogserver/UploadCitrixLogStream" -httpSchemaFile aot.json

```
In this configuration:
- server-ip: The IP address of the HEC endpoint.
- server-port: The port on which HEC is run (default 8088).
- transport: Set as HTTP the transport for the HEC endpoint.
- httpauthToken: Specify the authentication token to be included in the authorization header while sending logs to the HEC endpoint. This token is the authentication token created on the HEC endpoint while configuring the HTTP event collector.
- httpendpointUrl: Specify the URL to which you have configured the HEC endpoint to get requests to. For example, “/services/collector/event”.
- httpSchemaFile - The schema file created by running the Python script in Step 1.

Add and bind a syslog policy.

add audit syslogPolicy <name> <rule> <action>
bind audit syslogGlobal <policyName> [-globalBindType <globalBindType>]
<!--NeedCopy-->

Example:

add audit syslogPolicy http_sys_pol1 true http_sys_act1
bind audit syslogGlobal -policyName http_sys_pol1 -priority 11
<!--NeedCopy-->

After successful configuration, audit logs are sent as HTTP payloads to the HEC endpoint and are visible in the endpoint UI.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Secure Deployment Guide

Export audit logs to HEC endpoints

December 2, 2025

Contributed by:

December 2, 2025

Contributed by:

Export audit logs to HEC endpoints

Configure export of audit logs from NetScaler to HEC endpoint

In this article