It's not so easy to link a Citrix Netscaler WAF / LB to Splunk log management system and display the logs as mentioned in Splunk documentation. I spent more time than I thought. There is no explanation for this procedure in the documentation.
I will talk about my own way.
If you think that will be enough to apply the whole procedure in the link, you are completly wrong. No logs, no definitons.
http://support.citrix.com/article/CTX132533
Here is my procedure ;
- Splunk 5.0.4, build 172409
- Citrix Netscaler NS9.3: Build 50.3.nc
1- Create the correct rule in Netscaler. Please pay attention to the port is 8514.
2- You should create the Audit policy and link with the server that we recently created. After that, you should link it with the Global Policy which is not appearing the screen capture. 
3- You should create an Index in Splunk.
4- You should create a "Data Input" in Splunk.
5- You should enter the same information below.
6- You should download the Splunk App for Netscaler and install in Splunk.
7- Now you should the the first logs.

 
No comments:
Post a Comment