How to send Application Firewall messages to a separate syslog server

How to send Application Firewall messages to a separate syslog server

book

Article ID: CTX138973

calendar_today

Updated On:

Description

This article describes how to send Application Firewall messages to a separate Syslog Server.

Requirements

  • A secure File transfer utility such as WinSCP

  • A utility to open a SSH console to the appliance such as PuTTY

Instructions

Complete the following procedure to send Application Firewall messages to a separate Syslog Server:
  1. Log on to the NetScaler appliance through WinSCP.

  2. Update the /etc/syslog.conf file and add the following line in the file: local(next number).* /var/log/appfw.log
    local5.* /var/log/appfw.log  

    User-added image
  3. Run the following command from the command line interface of the appliance to restart the syslog PID:
    kill –HUP <PID>

  4. Run the following command from the command line interface to add a syslog action such as sysact1:
    add audit syslogAction sysact1 1.1.1.1 -logLevel ALL -logFacility LOCAL2

  5. Run the following command to add syspol1 policy, which uses sysact1 server:

    add audit syslogPolicy syspol1 true sysact1

    User-added image

  6. Run the following command to bind the Application Firewall policy and ensure that it is saved in ns.conf file: bind audit syslogGlobal -policyName syspol1 -priority 100 -globalBindType APPFW_GLOBAL

    User-added image
All the Application Firewall security check violations will now be redirected to the /var/log/appfw.log and will no longer appear in the ns.log. You can now run the tail command and view latest entries in the /var/log/appfw.log.

Issue/Introduction

This article describes how to send Application Firewall messages to a separate Syslog Server.