How to Use Policy-Based Logging on a NetScaler Appliance to Log HTTP Header

How to Use Policy-Based Logging on a NetScaler Appliance to Log HTTP Header

book

Article ID: CTX125466

calendar_today

Updated On:

Description

This article describes how to use the policy-based logging on a NetScaler appliance to log an HTTP header not supported by the NetScaler Web Logging (NSWL) feature.

Instructions

To use the policy-based logging on a NetScaler appliance to log an HTTP header not supported by the NSWL feature, compete the following procedure:

  1. Expand the System node in the Navigation pane.

  2. Expand the Auditing node and then select Message Actions.

  3. Click Add on the Message Actions page.

  4. Specify a name for the action in the Name field and an appropriate severity level for the message.

  5. Specify the log message to be transmitted. The following is a sample log message for your reference:

    "X-FORWARDED FOR DETECTED” + HTTP.REQ.HEADER("x-forwarded-for")

  6. Optionally, select the Log in newnslog option.

  7. Check the Bypass Safety Check option, and click OK.

    User-added image

  8. Expand the Rewrite node in Navigation pane and then select Policies.

  9. Click Add in Rewrite Policies page and then specify the name for the policy.

  10. Select NOREWRITE from the Action list.

  11. Ensure that Undefined-Result Action has the default value.

  12. From the Log Action list, select the log action name you created in Step 4.

  13. Specify the Expression that must trigger the policy.

  14. Click Create and then Close.

    User-added image

  15. Expand the Load Balancing node in Navigation pane and then select Virtual Servers.

  16. Open the virtual server to which you want to bind the policy from the Virtual Server page.

  17. Activate the Policies tab.

  18. Click Rewrite (Request) and then click Insert Policy.

  19. Select the policy that you created in Step 14 from the Policy Name list and then click Create.

    User-added image

  1. Run the following command to add the new syslog receiver:
    add audit syslogAction log-rewrite 101.111.111.1 -logLevel CRITICAL -acl ENABLED -userDefinedAuditlog YES

  2. Run the following command to set the audit syslogPolicy to use the new server:
    add audit syslogPolicy log-rewrite-policy ns_true log-rewrite

  3. Run the following command to globally bind the log policy, so when the message action is triggered, you know where to send it:
    bind system global log-rewrite-policy -priority 100

  4. Add custom logging to a virtual server with  norewrite action for rewrite policy:
    add audit messageaction log-act1 ALERT "\"Client:\"+CLIENT.IP.SRC+\" accessed \"+HTTP.REQ.URL" -bypassSafetyCheck YES
    add rewrite policy log-rewr-pol  true NOREWRITE -logAction audit_log_action
    bind lb vserver <VSERVER NAME> -policyName log-rewr-pol -priority 5 - gotoPriorityExpression END -type REQUEST

    Note: When binding an audit policy to a virtual server (via rewrite policy), audit server global setting "User configurable Log messages" has to be enabled.

Issue/Introduction

This article describes how to use the policy-based logging on a NetScaler appliance to log an HTTP header not supported by the NetScaler Web Logging feature.

Additional Information

Citrix eDocs - NetScaler 10 Audit Commands and Configuring the NetScaler Appliance for Audit Logging.

Powered by Wolken Software