Documentation Center
AlienVault® USM Anywhere™

Citrix NetScaler

When you configure Citrix NetScaler to send log data to USM Anywhere, you can use the Citrix NetScaler plugin to translate the raw log data into normalized events for analysis.

Device Details
Vendor Citrix
Device Type Load Balancer
Connection Type Syslog

Integrating Citrix NetScaler

Before you configure the Citrix NetScaler integration, you must have the IP Address of the USM Anywhere Sensor.

To configure Citrix NetScaler to send log data to USM Anywhere

  1. Log into NetScaler and select Configuration from the top menu.
  2. In the navigation pane, expand the System node then the Auditing node.
  3. Click Syslog.
  4. In the right pane, add a new auditing server

    1. On the Servers tab, click Add.
    2. In the Auditing Type field, SYSLOG is selected by default.
    3. In IP Address, enter the IP address of the USM Anywhere Sensor.
    4. In Port Number, enter 514.
    5. In Log Levels, select All.
    6. From the Log Facility list, select the appropriate facility.
    7. In Date Format, choose MMDDYYYY.
    8. For Time Zone, select GMT.
    9. Select TCP Logging or ACL Logging.

      Note: AlienVault supports both options, but TCP Logging uses fewer resources.

    10. Click Create.
  5. Add a policy for the new auditing server

    1. On the Policies tab, click Add.
    2. In the Auditing Type field, SYSLOG is selected by default.
    3. In Server, select the server created in Step 4.
    4. Click Create.
  6. Bind the policy globally

    1. On the Policies tab, click Action and select Classic Policy Global Bindings.
    2. Select the policy created in Step 5.
    3. Click Bind and then Done.

Plugin Enablement

For plugin enablement information, see Manual Plugin Management.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • app_name
  • audit_reason
  • bytes_in
  • bytes_out
  • destination_address
  • destination_nat_address
  • destination_username
  • duration
  • event_description
  • event_name
  • event_outcome
  • event_severity
  • rep_device_address
  • rep_device_hostname
  • request_url
  • security_group_name
  • source_address
  • source_port
  • source_process_commandline
  • timestamp_occured

Troubleshooting

For troubleshooting, refer to the vendor documentation:

How to Configure Syslog on a NetScaler Appliance

Configuring the NetScaler Appliance for Audit Logging