Citrix and audit logs

pma111
pma111 used Ask the Experts™
on
1) Does citrix have its own event log catalogue entry in computer management > system tools > event viewer > 

2) Or is a user logging in to that server via their citrix client on their desktop just logged in the normal windows logs, i.e. security? I.e. no special logs for cirtix, a login is classed the same regardless of remote/local/via citrix?

3) Is there a specific event ID for a login to a citrix server via whatever client they use?

4) Also I think we have 2 citrix environments based on departments, would these be 2 "farms", where can you see which servers are in which farm? I beleive the citrix servers run on top of server 2003 if that makes any difference.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Senior Consultant
Commented:
1) No, it is the OS event viewer.

2) Logs are the normal logs in the Windows event viewer no matter how log in happens - normal or citrix or terminal services.

3) I am not aware of a specific event ID.

4) How do you classify 2 citrix environments based on departments? 2 Citrix environments, both being XenApp, should mean two farms in Citrix terminology. However, in your case you can open the Delivery Services Console on one server from each of the environments you think are distinct. The farm name will appear as a node. If they are different then this means they are two different farms. Another way is to open 'CMD' on one of the servers and run 'qfarm'. If all the server names appear (including those you suspect in the other environment) then are actually in one farm.

Author

Commented:
Re 1/2, is this still dependant on what is set at domain/local level then regardling audit policies?

i.e. the options set at:

http://technet.microsoft.com/en-us/library/dd941595(v=ws.10).aspx

I.e. if they are set via local security policy or as part of a domain policy they will be captured, if not they wont be?

Is it resultant set of policy that considers whether the policy were set at either local or domain level, if at all?
1. No Citrix event log is ther
2. Yes it use the default security log
3. I dont think it have specific event Id for logon, it has the same windows logon event
4.You can use resource manager , select the farm and under the farm will have servers, expand the server -- will list the server of that farm
Acronis in Gartner 2019 MQ for datacenter backup

It is an honor to be featured in Gartner 2019 Magic Quadrant for Datacenter Backup and Recovery Solutions. Gartner’s MQ sets a high standard and earning a place on their grid is a great affirmation that Acronis is delivering on our mission to protect all data, apps, and systems.

Author

Commented:
How could you see which user connects to which farm? I.e. if you just have a list of usernames, where would you begin to look to see which farm this user connects too?
Yes the policy set at domain \local will be  apply for the citrix server too, ther is no specific policy for the citrix auditing.
Edgesight can be used for that, under plan and manage tab you can get the reports.

http://support.citrix.com/proddocs/topic/edgesight53/es-manage.html

Author

Commented:
Is edgesite a part of citrix installation, i.e. will every citrix admin have it?

If you have more than one citrix farm and edgesite can you show a sample report showing which users are permitted to access which farm

Author

Commented:
Is resource manager sort of a central tool which will show all farms in the environment, or is there a resource manager per farm?
Ayman BakrSenior Consultant

Commented:
There is a resource manager per farm.

You are entitled for edgesight if you have the platinum edition. If not then you can purchase the Edgesight licenses separately.

Author

Commented:
How could one see from the outside how many farms there are in an environment? If you went in to a network how could you see that?

Author

Commented:
How many servers do you typically have in 1 farm?
Ayman BakrSenior Consultant

Commented:
You need to know the servers available for Citrix, either you know them by heart or looking for example at their naming conventions. If not then you will have to do an inventory to see which servers have the XenApp installed.

Knowing the servers then, as I told you previously with qFarm run in a command prompt, all the member servers of the farm will be listed. This list of servers will form one farm, implying that if you see certain servers not listed then they will be in another farm.

An alternative way is to check the Delivery Services console for each server (perhaps doing so is more tedious) where the farm will appear.

MF20.dsn is another indicator. within that file is the data store instance name. A different DB most probably means different farm (it can mean a different zone within the same farm)

Author

Commented:
Ok thanks, just as a crash course of the infrastructure/architecture of a citrix farm, what falls within that farm, i.e. what is it made up of, and is there a higher level than farm? Or is farm the top level and every falls within?

Author

Commented:
PS - are there any citrix management tools that can show which users are logged into which servers in your farm at any given time? numbers and names? What tool would be used for that, is this a feature in resource manager?
Ayman BakrSenior Consultant

Commented:
A citrix Farm consists of the following:
1. One or more zones (can be, but not exactly, likened to a site in a microsoft environment)
2. One License server
3. One Database server (in some designs you can have one database for all your zones; in other designs you can have one database for each zone)
4. One Data Collector in each zone (Only one Data Collector can serve in a zone, and each zone has to have a data collector. You can though make a back up data collector in each zone)
5. XenApp servers (session hosts) hosting your applications
6. Web Interface server hosting your web sites and services sites.

With the above said, the farm is a management boundary for all your environment consisting of the above servers.

With Windows 2003 servers, then this means you have XenApp 5.0 Or Presentation Server 4.5 environments. You can find the users logged on which servers using the Citrix Delivery Services console. However, the console is limited in its view and reporting capability. Yes you can use the resource manager to draw more detailed reports (number of users, names of users, on what servers). A more sophisticated and thus much better tool to draw on reports and get trend results (using history details and frequency) is EdgeSight.

Author

Commented:
Thanks so much re zones why the need for multiple zones? Can you explain?

Author

Commented:
Re 1-6 could you give a one liner managers breif on what each actually do ? The names on some are self explanatory others not so.... Thank you!!
Ayman BakrSenior Consultant

Commented:
You create multiple zones if the following conditions apply:
1. You have two or more sites
2. The sites have same number of servers as in the main site
3. You have high-bandwidth site links

The rule of thumb is that you should have no more than 5 zones. The less the better.
Ayman BakrSenior Consultant

Commented:
1. Zone: to manage sites and inter-site links

2. License Server: provides licenses for XenApp servers and user sessions. XenApp servers request and receive a startup license on start up. For each subsequent session the XenApp server requests a license from the license server on behalf of the client.

3. DataStore database contains all the farm data, configuration, worker groups, XenApp servers, admins, load evaluators, policies etc...

4. Data Collector manages dynamic updates in the farm including connected sessions, disconnected sessions, resolutions and server loads. Usually also configured as XML broker for the farm to handle authentication, application enumeration and finding least loaded session host.

5. XenApp (session host): host published applications and provide the session to the users.

6. Web Interface server: To provide the interface for the applications for your users.

This is all on the infrastructure part. Then there is the client side where each client needs to have the ICA client (plugin).

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial