ADC

HTTP and TCP attack detection and logging

August 14, 2025

Contributed by:

NetScaler provides comprehensive logging capabilities for HTTP and TCP attack events and non-RFC compliant traffic. This feature enhances security monitoring by providing detailed visibility into dropped packets and security violations that were previously only tracked through counters.

The new logging functionality enables administrators to identify malicious traffic sources with complete connection details. Administrators can monitor RFC compliance violations for troubleshooting and security purposes. Also, administrators can track attack patterns with contextual information for forensic analysis and configure flexible logging levels to filter events based on severity requirements.

Note:

The HTTP and TCP attack event logging feature is available starting from NetScaler version 14.1 build 51.x.

Key benefits

This enhanced logging capability delivers significant value across the following critical business areas:

Immediate threat response with real-time detection and forensic analysis.
Operational efficiency through faster incident resolution and automated compliance reporting.
Cost optimization using targeted remediation and proactive security monitoring that reduces overall incident volume.

Supported attack types and log levels

NetScaler’s attack event logging covers a comprehensive range of security threats and protocol violations across both HTTP and TCP layers. The system automatically categorizes events by severity level (ALERT, WARNING, ERROR) to enable appropriate prioritization and response workflows in your security operations.

HTTP attack detection

NetScaler monitors and logs various HTTP-based security threats and protocol violations. These threats are classified into multiple categories based on their potential impact and security risk.

The following HTTP-based attacks and violations are logged:

ALERT level - Active security attacks requiring immediate attention:

These attacks require immediate attention and pose significant security risks to your infrastructure.

Desync Attack
Slow Loris Attack
Slow Post Attack
HTTP/2 Ping Flood
HTTP/2 Reset Flood
HTTP/2 Settings Flood
HTTP/2 Empty Frame Flood

WARNING level - Protocol violations and non-compliant traffic:

These violations indicate non-standard HTTP behavior that suggests malicious intent or application issues requiring investigation.

Invalid Body
Invalid Character in header field name
Invalid symbol character in header field name
Duplicate headers
Duplicate host headers
Header overflow
Invalid host header

ERROR level - Connection tracking failures and invalid requests:

These events capture connection abnormalities that indicate attack attempts or system issues affecting request processing.

Various connection tracking aborted scenarios when requests are marked as invalid.

TCP attack detection

NetScaler detects and logs network-layer TCP attacks that target connection establishment and data transmission protocols, providing visibility into sophisticated network-based threats.

ALERT level - Critical network attacks targeting TCP infrastructure:

These events represent sophisticated network-level attacks that attempt to exhaust system resources or exploit TCP protocol weaknesses.

SYN flood attack
Segments smack attacks
Small window attacks

Log information template

Every security event is logged with a standardized set of data fields that provide complete context for threat analysis and incident response.

Each logged event includes the following comprehensive information:

Field	Description
Event Category	Type of attack or violation detected
Source IP	Client IP address
Source Port	Client port number
Destination IP	Target server IP address
Destination Port	Target server port
Protocol	HTTP or TCP
Payload Sample	First 128 bytes of packet payload
Context Description	Human-readable explanation of the violation

Configure audit log (Syslog and Nslog) with HTTP and TCP attack logging by using the CLI

To implement the HTTP and TCP attack detection and logging feature, a new -protocolViolations parameter is added to audit log related commands. This parameter enables logging of protocol violations and attack events for specified protocols. The -protocolViolations parameter currently supports the following values:

ALL: Enables logging for all supported protocol violations and attacks
NONE: Disables protocol violation logging (default value).

The -protocolViolations parameter is available in the following audit log configuration commands:

set syslogparams [-protocolViolations <protocol> ...]

add audit syslogAction <name> <syslog server IP> <loglevel> [-protocolViolations <protocol> ...]

set nslogparams [-protocolViolations <protocol> ...]

add audit nslogAction <name> <nslog server IP> <loglevel> [-protocolViolations <protocol> ...]
<!--NeedCopy-->

Configure audit log (Syslog and ns log) with HTTP and TCP attack logging by using the GUI

Navigate to Configuration > System > Auditing > Syslog or Nslog.
Select the Servers tab.
Click Add.
In the Create Auditing Server page, populate the relevant fields.
Select the Protocol Violations checkbox.
Click Create.

Implementation and configuration

The following configuration examples demonstrate different deployment scenarios for enabling attack event logging based on your environment’s specific requirements and security monitoring strategy:

Use case 1: Global external syslog server

This configuration is ideal for organizations that require centralized security monitoring across their entire NetScaler infrastructure. NetScaler sends all violation and attack logs to an external syslog server for centralized monitoring.

To configure this setup, perform the following procedure:

Create a syslog action for an external server.

At the command prompt, type:

add audit syslogAction external_act <syslog server IP> logLevel ALL -protocolViolations ALL
<!--NeedCopy-->

Example:

add audit syslogAction external_act 10.146.121.48 -logLevel ALL -protocolViolations ALL
<!--NeedCopy-->

Create and bind syslog policy.

At the command prompt, type:

add audit syslogPolicy external_pol TRUE external_act

bind audit syslogGlobal -policyName external_pol -priority 100
<!--NeedCopy-->

Use case 2: Local syslog server

For smaller deployments or environments with specific data locality requirements, local syslog configuration provides a simpler alternative. Configure a local syslog server to capture all protocol violations.

To enable protocol violation logging on local syslog, run the following command:

set syslogparams -protocolViolations ALL
<!--NeedCopy-->

Use case 3: Multiple external servers per virtual server

If you need more flexibility for complex environments, you can configure different virtual servers to send their logs to different destinations. This means that you can have some virtual servers sending logs to one server while others send to a different server, all with their own specific configurations.

To configure this setup, run the following commands in sequence:

Configure the first external server (all events).

add audit nslogAction external_act_1 <nslog server IP> logLevel ALL -protocolViolations ALL
<!--NeedCopy-->

Example:

add audit nslogAction external_act_1 10.146.121.48 -logLevel ALL -protocolViolations ALL

add audit nslogPolicy external_pol_1 TRUE external_act_1
<!--NeedCopy-->

Configure a second external server (critical events only).

add audit nslogAction external_act_2 <nslog server IP> logLevel ALERT WARNING -protocolViolations ALL
<!--NeedCopy-->

Example:

add audit nslogAction external_act_2 10.146.127.50 -logLevel ALERT WARNING -protocolViolations ALL

add audit nslogPolicy external_pol_2 TRUE external_act_2
<!--NeedCopy-->

Bind policies to a specific virtual server.

bind lb vserver vserver1 -policyName external_pol_1 -priority 100

bind lb vserver vserver1 -policyName external_pol_2 -priority 110
<!--NeedCopy-->

Use case 4: Filter logging by severity

When dealing with high-traffic environments, filtering logs by severity helps manage log volume while maintaining focus on critical security events. You can configure logging to capture only critical attacks (ALERT level) to reduce log volume.

Create syslog action for critical events only.

add audit syslogAction external_act 10.146.121.48 -logLevel ALERT -protocolViolations ALL
<!--NeedCopy-->

Create and bind syslog policy.

add audit syslogPolicy external_pol TRUE external_act

bind audit syslogGlobal -policyName external_pol -priority 100
<!--NeedCopy-->

Best practices

Follow these recommended practices to maximize the effectiveness of attack logging while maintaining optimal system performance:

Start with WARNING level to understand your traffic patterns before enabling all log levels.
Use external syslog servers for production environments to ensure log persistence.
Configure log rotation to manage disk space on syslog servers.
Set up alerting on ALERT level events for immediate threat response.
Regularly review logged events to identify trends and adjust security policies.

Troubleshooting

When implementing attack event logging, you might encounter configuration challenges or performance considerations. The following guidance helps resolve common issues:

Ensure syslog server connectivity before enabling logging.
Verify log level compatibility with your SIEM or log analysis tools.
Check that network policies allow syslog traffic to external servers.

To ensure optimal system performance while maintaining comprehensive security monitoring, consider the following recommendations:

Monitor NetScaler performance when enabling comprehensive logging.
Consider using filtered logging (ALERT only) for high-traffic environments.
Implement log aggregation for multiple NetScaler instances.

The official version of this content is in English. Some of the Cloud Software Group documentation content is machine translated for your convenience only. Cloud Software Group has no control over machine-translated content, which may contain errors, inaccuracies or unsuitable language. No warranty of any kind, either expressed or implied, is made as to the accuracy, reliability, suitability, or correctness of any translations made from the English original into any other language, or that your Cloud Software Group product or service conforms to any machine translated content, and any warranty provided under the applicable end user license agreement or terms of service, or any other agreement with Cloud Software Group, that the product or service conforms with any documentation shall not apply to the extent that such documentation has been machine translated. Cloud Software Group will not be held responsible for any damage or issues that may arise from using machine-translated content.

Was this helpful

NetScaler Secure Deployment Guide

HTTP and TCP attack detection and logging

August 14, 2025

Contributed by:

August 14, 2025

Contributed by:

Key benefits
Supported attack types and log levels
Log information template
Configure audit log (Syslog and Nslog) with HTTP and TCP attack logging by using the CLI
Configure audit log (Syslog and ns log) with HTTP and TCP attack logging by using the GUI
Implementation and configuration
Best practices
Troubleshooting

Was this helpful

NetScaler Secure Deployment Guide

HTTP and TCP attack detection and logging

Key benefits

Supported attack types and log levels

HTTP attack detection

TCP attack detection

Log information template

Configure audit log (Syslog and Nslog) with HTTP and TCP attack logging by using the CLI

Configure audit log (Syslog and ns log) with HTTP and TCP attack logging by using the GUI

Implementation and configuration

Use case 1: Global external syslog server

Use case 2: Local syslog server

Use case 3: Multiple external servers per virtual server

Use case 4: Filter logging by severity

Best practices

Troubleshooting

In this article