How to Configure Response Side Policy-Based Logging with Rewrite Feature to have a Centralized log with Frontend and Backend IP Address Information

How to Configure Response Side Policy-Based Logging with Rewrite Feature to have a Centralized log with Frontend and Backend IP Address Information

book

Article ID: CTX136919

calendar_today

Updated On:

Description

This article describes how to configure response side policy-based logging with the rewrite feature to have a centralized log with frontend and backend IP information.

Background

With NetScaler load balancing request to backend Web servers, the client is now connecting to the NetScaler virtual server instead of directly to the backend server, this is the frontend connection.

A NetScaler appliance then use MIP/SNIP to connect to the backend server, this is the backend connection.

In some scenarios, administrator might want to have a centralized log which can have the client IP, VIP, SNIP/MIP, and backend server IP addresses in a single location.

This article demonstrates the procedure for the following topology:

User-added image
Note: The sample commands and output in this article is based on the NetScaler software release 10.0 74.4.

Instructions

To configure response side policy-based logging with the rewrite feature to have a centralized log with frontend and backend IP information, complete the following procedure:

  1. Run the following command to enable the rewrite feature:
    enable ns feature rewrite

  2. Run the following command to define the message format:
    Note: In this example, apart from the IP addresses of both frontend and backend connections, the HTTP URL is also logged which consists of the HTTP method and URL. You can add other necessary information but there is length limitation on syslog entry.
    add audit messageaction connection_log_action INFORMATIONAL "\"Client IP: \"+ CLIENT.IP.SRC+\" VIP: \"+ CLIENT.IP.DST+\" SNIP: \"+ SERVER.IP.DST + \" Server IP: \"+ SERVER.IP.SRC+\" URL: \"+ HTTP.REQ.METHOD+\" \"+ HTTP.REQ.URL" -bypassSafetyCheck YES

  3. Run the following command to add a rewrite policy called connection_log_rewritepol such that the message action will run as long as the HTTP request is valid:
    add rewrite policy connection_log_rewritepol HTTP.REQ.IS_VALID NOREWRITE -logAction connection_log_action

  4. Run the following command to bind the rewrite policy to the corresponding virtual server (response side):
    bind lb vserver vip3 -policyName connection_log_rewritepol -priority 100 -gotoPriorityExpression END -type RESPONSE

  5. If you are sending the syslog to an external server with IP address 192.168.1.131, then run the following command to configure the syslog action and policy. The parameter userDefinedAuditlog is required for policy-based logging (rewrite log action):
    add audit syslogAction syslog_server_131 192.168.1.131 -logLevel ALL -dateFormat DDMMYYYY -userDefinedAuditlog YES
    add audit syslogPolicy syslog_server_131_pol ns_true syslog_server_131

  6. Run the following command to bind the syslog policy at the global level:
    bind system global syslog_server_131_pol -priority 100

Issue/Introduction

This article describes how to configure response side policy-based logging with the rewrite feature to have a centralized log with frontend and backend IP information.

Additional Information

Sample screen shot showing the syslog received by the syslog server after the client accessed the URL /showip.php and /test/creation.gif:

User-added image
Powered by Wolken Software