NetScaler supports report syslog messages to an external syslog server. But in HA deployment, you may observe the issue that: HA Secondary node doesn't send syslog messages while Primary is good if "Transport Type" is TCP. Configuring it to UDP has no issue. 

Solution#1:
If UDP is acceptable, it can be a valid Solution.

Note: UDP can work because UDP is stateless and cannot check L4 connectivity. NetScaler does "best effort" to transmit data and "internal service" for syslog server is UP on both Primary & Secondary. 

Solution#2:
If you want to use TCP, you can SYSLOTTCP type vServer and link it to syslog action. For example:

1. Create a non-addressable SYSLOGTCP type vServer, as well as a service that point to your syslog server.

add lb vserver Dummy_Syslog_vS SYSLOGTCP
add service Syslog_Svc x.x.x.x SYSLOGTCP 514    // Replace x.x.x.x with your syslog server IP.
bind lb vserver Dummy_Syslog_vS Syslog_Svc

2. Create Syslog action and bind the SYSLOGTCP vServer to it:

add audit syslogAction Syslog_TCP_Act -lbVserverName Dummy_Syslog_vS -logLevel ALL -transport TCP ...

3. Create a syslog policy and bind it to global as usual.

Above steps can resolve the issue in TCP because we replace "internal service" with "configured service", whose state can be synced to Secondary node.

---

Problem Cause

That's a limitation of current design. Creating a TCP type syslog server generates a TCP type "internal service".

• Default TCP monitor is applied to the internal service. Monitor probes are sent from Primary's SNIP. 
• Secondary's SNIP is passive. Secondary node can't probe syslog server's state proactively. 
• Unfortunately, state isn't synced between HA nodes for "internal service". 

So, Secondary node marks syslog server state as DOWN (monitor UNKNOWN) and doesn't send anything to it: 

  6244    0    UNKNOWN     2    0 mon_state MonServiceBinding_x.x.x.x:514_(tcp)(internal)    // x.x.x.x is your Syslog server's IP. 

 

TCP syslog in HA secondary doesn't work.