Security Log Randomly omits login entries on Citrix server

Marisa Stevenson
Marisa Stevenson used Ask the Experts™
on
The Windows Security log randomly omits login attempts to our Citrix server.  

We run a a batch job that tracks user logins on our Citrix server (Windows 2008 Server OS) using the Auditlog.exe command:  

DEL C:\CTXLOGON\CITRIXLOGON.LOG
AUDITLOG.EXE /WRITE:C:\CTXLOGON\CITRIXLOGON.LOG /AFTER:3/31/2011

After noticing some logins weren't logged, I checked the Security log via Event Viewer, and confirmed the user was not in the Security log.  I watched this user login to the Citrix server and invoke Word, so I know a successful login attempt occurred.  This seems to occur randomly.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Carl WebsterCitrix Technology Professional - Fellow
Top Expert 2010

Commented:
Are they connectly directly to this server or via web interface?

Author

Commented:
They are connecting directly.  We also have a remote Citrix server we use for failover, though we had not failed over during this time.  However, it's possible access was routed via the remote server due to load balancing - had not considered that when I posed this question.  I'm going to check whether Event Viewer on the remote server has logged the entries.  If you have other thoughts, please share.  Otherwise I will update (and possibly close) this post once I've checked the other server.
Carl WebsterCitrix Technology Professional - Fellow
Top Expert 2010

Commented:
If they connect directly to the server, load balancing does not come into play.  Is there only this one XenApp server plus the remote one for failover?  

When you say they connect direct, are they connecting via RDC to the server's desktop, are you using a custom ICA file, are you using Program Neighborhood?
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

I ran the batch job on the remote server and it appears the security log has trapped logins on that server as well (despite not having failed over to it).  Perhaps 'load balance' was the incorrect term.  I'm going to assume this must be the answer - I was looking at the local server, and should have been looking at both, for whatever reason.  Thanks for your help.
Carl WebsterCitrix Technology Professional - Fellow
Top Expert 2010

Commented:
It all depends on how your users connect to servers.  The way it is supposed to work is:

connect to web interface
user enters login credentials
web interface passes credentials to the XML Broker who passes them on to a DC
DC validates credentials
If invalid, login failed msg is displayed
If valid, XML Broker talks to zone data collector (usually one in the same server) and retrieves the list of applications and desktops for that user
Web Interface then displays a customized WI
user clicks an icon
WI goes back to ZDC (and depending on version os PS/XA and HRP level) and will either see if the user has a session on a server and if so connect to that session to run the app and if the user has no existing session, then will ask for the Least Busy Server and run the app from that server.

Author

Commented:
I am amazed at your level of knowledge.  Thanks so very much for your help.
Carl WebsterCitrix Technology Professional - Fellow
Top Expert 2010

Commented:
Nothing to be amazed about.  I'm just little ol' me. :)

Author

Commented:
Appears the remote Citrix server is also trapping logins, perhaps due to load balancing.

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial