Missing Web App Firewall Logs in NetScaler

Instructions

 Follow the below steps to troubleshoot the issue:

• Verify Logging Configuration:

Ensure that logging is enabled for the security checks or signatures in the Web App Firewall profile.
Navigate to Web App Firewall > Profiles, select the target profile, and check the logging settings for each security check.

• Check Syslog Configuration:

Ensure that the syslog server is correctly configured to receive logs from the NetScaler appliance.
Navigate to NetScaler > System > Auditing and verify the syslog server settings.

• View Logs Using Syslog Viewer:

Use the Syslog Viewer in the GUI to check if the logs are being generated.
Navigate to NetScaler > System > Auditing and click on the Syslog messages link to display the Syslog Viewer.
Alternatively, navigate to Web App Firewall > Profiles, select the target profile, and click on Security Checks. Highlight the row for the target security check and click Logs.

• Access Logs via Command Line:

Switch to the shell and tail the ns.log in the
/var/log/
folder to access the log messages pertaining to the Web App Firewall security check violations:
Shell
tail -f /var/log/ns.log
Use the
grep
command to filter specific log entries, for example, to access log messages pertaining to Credit Card violations:
tail -f /var/log/ns.log | grep SAFECOMMERCE

tail -f /var/log/ns.log | grep APPFW and tail -f /var/log/ns.log | grep CSRF 

• Check Log Format:

Ensure that the logs are in the correct format (Native or CEF) as required by your logging tools.
If you are using the Syslog Viewer to filter logs by profile, ensure the logs are in the CEF format.
External SYSLOG Server:

If you want to segregate NetScaler Web App Firewall logs from the System Logs, ensure you are using an external SYSLOG server.
By following these steps, you should be able to identify and resolve the issue of not getting Web App Firewall logs in NetScaler.