How Do You Configure a NetScaler Device to Send Syslog Output to a Remote Server?

Q: How do you configure a NetScaler device to send syslog output to a remote server?

A: As of release 6.1 you can configure a remote syslog server from the command line interface (CLI) using the following command:

set audit syslogparams [-serverip <ip_address>] [-serverport <port>]
        [-dateformat ( MMDDYYYY | DDMMYYYY )] [-logLevel <logLevel> ...]

-Where-

    <logLevel> = ( EMERGENCY | ALERT | CRITICAL | ERROR | WARNING | NOTICE |

        INFORMATIONAL | DEBUG | ALL )

For NetScaler release 6.0 or earlier, the following procedure applies:

Assumptions: You want to use the local0 facility to log system events, and the local2 facility to log SSL Virtual Private Networking (VPN) access events. You also want these logs saved locally on your NetScaler device.

Configure /etc/hosts and verify connectivity to the remote syslog server

> shell
# su
Password:
netscaler# cd /etc/
netscaler# pico hosts

Add the following line to /etc/hosts:

<ip address of remote> <hostname>

Save the file (in the Pico editor, press CTRL+O to save the file and CTRL+X to exit the editor itself).
Verify you have done this correctly by pinging the remote device from the shell:

netscaler# ping <hostname>

Enable syslog on the NetScaler:

> shell
# su
Password:
netscaler# cd /etc/
netscaler# pico rc.conf

Look for the following line:

syslogd_enable=?NO?

Change it to the following:

syslogd_enable=?YES?

Configure the nsconmsg utility to output log info to syslogd:

> shell
# su
Password:
netscaler# cd /etc/
netscaler# pico startpe

Here you are only interested in the section of the file that contains the following:

#Uncomment the below line to enable Netscaler syslog daemon.
# $WEBSCALER_START/nsconmsg -s syslog=1 -d eventwait
#Uncomment the below line to enable Netscaler syslog daemon logs for SSLVPN .
# $WEBSCALER_START/nsconmsg -s syslog=1 -d accesslogs

Uncomment and modify these lines as follows:

#Uncomment the below line to enable Netscaler syslog daemon.
$WEBSCALER_START/nsconmsg -s syslog=1 -d eventwait
#Uncomment the below line to enable Netscaler syslog daemon logs for SSLVPN .
$WEBSCALER_START/nsconmsg -s syslogfacility=2 ?s syslog=1 -d accesslogs

Save the file.
Create the actual log files on the NetScaler device itself:

Note: Again, this is given the assumption that you wish to save local copies of the syslog output on the NetScaler itself.
> shell
# su
Password:
netscaler# cd /var/log
netscaler# pico eventlog (this title can be anything you want it to be)

The Pico editor creates a blank file, which you can then save by pressing CTRL+O. Once you have done this, press CTRL+X to exit Pico.
Issue the following command:

netscaler# pico vpnaccesslog (again, this title can be anything you want it to be)

As above, save the blank file.
Modify the filters in the syslog.conf file:

Note: The syslog.conf file lists filters that tell the NetScaler device how and where to output syslog data. While there are a number of possible configuration options here, the scope of this FAQ is to stay within our previously defined assumptions.
> shell
#su
Password:
netscaler# cd /etc/
netscaler# pico syslog.conf

At the very top of the file, add the following lines:

local0.* @<hostname>
local2.* @<hostname>
local0.* /var/log/eventlog
local2.* /var/log/vpnaccesslog

Save the file by pressing CTRL+O.
Restart the NetScaler device. Syslog does not start until the device is restarted:

netscaler# reboot

Note: For High Availability situations, as syslog is handled at the BSD level, it is not affected by the ns.conf configuration synchronization. You must take the preceding steps on both NetScaler devices in the pair.