How to Install and Configure Splunk for NetScaler for Application Firewall Reporting

How to Install and Configure Splunk for NetScaler for Application Firewall Reporting

book

Article ID: CTX132533

calendar_today

Updated On:

Description

This article describes how to install and configure Splunk for NetScaler for Windows Operating System to view Application Firewall reports.

Instructions

Note: In Splunk 6.1, the configuration file is called ipfix.conf. NetScaler 10.1 and Splunk are not currently compatible.
To configure Splunk for NetScaler, complete the following procedures:

Installing the Splunk for NetScaler

To install the Splunk application on the computer, complete the following procedure:

  1. Get the relevant installation package from the Splunk website.
    http://www.splunk.com/download?r=/product

  2. Run the Splunk installer and follow the installation wizard.

  3. Download the Splunk for NetScaler application from http://splunk-base.splunk.com/apps/22345/splunk-for-citrix-netscaler-with-appflow.
    Note: If this hyperlink does not work, the application might be updated. To confirm this, click Find More Apps as shown in the screen shot in Step 5.

  4. Log on to Splunk.

  5. Go to App > Manage Apps.
    User-added image

  1. Install the application from the Splunk for NetScaler application file that you downloaded earlier.
    User-added image

  1. Upload the application tgz file.
    User-added image

  1. Open the <SPLUNK DIRECTORY>\etc\apps\SplunkforCitrixNetScaler\default folder. Modify the inputs.conf file for Windows usage.
    Note: Add hash (#) at the beginning of the lines to change the lines for the linux package as comments, as shown in the following screen shot.
    User-added image

NetScaler Configuration

To configure the NetScaler appliance to use the Splunk application, complete the following procedure:

  1. Open the NetScaler Configuration Utility.

  2. Expand the System node.

  3. Expand the Auditing node.

  4. Select the Policies node.

  5. Click Add.

  6. In the Create Auditing Policy dialog box, provide a name for the policy and create a new server.

  7. Provide the IP address of the server where Splunk is installed and port 514.
    Note: Splunk must listen on this port.

  8. Click Create.

  9. Bind the policy at a global level.
    User-added image

  1. Configure the Application Firewall on the NetScaler appliance to protect the applications, and ensure that logging is enabled for the various protections.

  2. Open Splunk > Manager > Data Inputs > UDP.

  3. Ensure that UDP port is 514, and the Source type is set as ns_log.
    User-added image

  1. Open App > Manage Apps.

  2. Open Splunk for Citrix NetScaler.

  3. Open App Firewall. If App Firewall is configured correctly, and if there are violation blocks, a graph similar to the following screen shot should  be displayed.
    User-added image

Issue/Introduction

This article describes how to install and configure Splunk for NetScaler for Windows Operating System to view App Firewall reports.
Powered by Wolken Software