Avatar of jnordeng
jnordeng
 asked on

How to follow a session through NetScaler, to StoreFront to XenApp 6.5 published Applications.

We are moving to Netscaler 11.1 using StoreFront 3.15 with a backend of XenApp 6.5.

Trying to find the best way/documentation to understand the best way to follow a session.  It used to be use the Secure Gateway logs and the STA logs.  But with the new flow, having a hard time finding logs to follow a session from end to end.  Or, is this type of logging not on by default and needs to be enabled.  Any help is appreciated.

It will help once I get logging into Splunk for the NetScaler and StoreFront, but as noted until I know what logs are useful and how to get them there, this isn't going to help me.

Once we get this working, will need to complete our new XenApp 7.15 and provision endpoints there from NetScaler and Storefront, so really would like to get a handle on the flow now.

Thanks in advance.
NetScaler* XenApp* StoreFront

Avatar of undefined
Last Comment
jnordeng

8/22/2022 - Mon
ASKER CERTIFIED SOLUTION
Sam Jacobs

THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
See Pricing Options
Start Free Trial
GET A PERSONALIZED SOLUTION
Ask your own question & get feedback from real experts
Find out why thousands trust the EE community with their toughest problems.
jnordeng

ASKER
Awe, good information Sam.  So sounds like you shared exactly what I need for the info.  I'll do some checking and see if I can follow a session.  

Now to get them into Splunk. :)  There is a lot to these for sure :)
Sam Jacobs

For clients that don't want to invest in Splunk, I recommend purchasing a copy of Kiwi Syslog Server (all of $300), and then importing the five record types above into Kiwi. I then parse the records and send the information to SQL. I can then slice and dice historical information (who logged on - and who failed logging on, when, for how long, what applications were launched, etc).
jnordeng

ASKER
Good to know and put on the post.  We already have Splunk in place, so I just have to figure out what to do on the Netscaler's to get the logs into it. :)  And yup, we also have Kiwi :)  I think that is how they are doing the F5 logs currently is dumping them to the log server and then putting it in Splunk from there.  Thought was to do something similar, just a matter of what to do to make it happen.  All new to us, our first Netscaler's ;)
This is the best money I have ever spent. I cannot not tell you how many times these folks have saved my bacon. I learn so much from the contributors.
rwheeler23
Sam Jacobs

Good luck ... post back if you have any questions on NetScaler or Kiwi (sorry, can't help with Splunk :)
jnordeng

ASKER
I do have a question :)  The aaad.debug through putty works like a charm. :)  As far as the syslogs, where is the best place on the Netscaler to actually see these?

Thanks
Sam Jacobs

/var/log/ns.log
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
Sam Jacobs

You can also go through the GUI:
System | Auditing under Audit messages, click System Log.
jnordeng

ASKER
Perfect, thanks.
jnordeng

ASKER
Just throwing this on here, so I did follow the process under Audit to setup Syslog and pointed it to our log server.  This is a Windows box.  My question is is Netscaler actually pushing files and if so, how does it know where to drop them?  Or is the Syslog server supposed to pull the logs?  I'm not finding any connection from the Netscaler to the log server nor do I find any of the files generated from the Netscaler on the log server.

Looking for more in depth explanation and configuration around this.  

Any insight?

Thanks in advance.
I started with Experts Exchange in 2004 and it's been a mainstay of my professional computing life since. It helped me launch a career as a programmer / Oracle data analyst
William Peck
Sam Jacobs

The NetScaler pushes the syslog records. You should be entering the IP address of your syslog server in the auditing settings. I'm driving now, but I could send you some screenshots when I get to my PC.
jnordeng

ASKER
Ok, thanks.  Yes, I was putting in the IP of the syslog server, so was thinking there should be more defined here so it knows where to put them on the Syslog server.

Thanks
Jennifer
Sam Jacobs

All you specify is the server IP, port, and the log levels.syslog-settings.jpg
⚡ FREE TRIAL OFFER
Try out a week of full access for free.
Find out why thousands trust the EE community with their toughest problems.
jnordeng

ASKER
Ok thanks, this is how I have it set.  Guessing there is either a communication issue over this port (checking that) or something on the logging server is expecting something else.  If I may ask, is your logging server Linux or Windows?  How does it know where to actually place your log files?

Thanks
Jennifer
Sam Jacobs

I use Kiwi on Windows (not sure if they have a Linux version).
When you install Kiwi, you set up the destination for the log files.
I actually have multiple log files - one to capture all messages (for debugging purposes), and another set upto filter out only the 5 record types above.
As long as the syslog server is listening on the specified port (default is 514) and not blocked by a firewall, you should be ok.
If you'd like, I can dig up a very simple syslog server program I wrote a few years ago for syslog testing that can be run on any Windows box (even a desktop).
jnordeng

ASKER
Just wanted to add a comment here for others searching for a solution.  While trying to get this going did a bit more reading and Splunk has a plug-in for Netscaler's as well, https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/Install for Netscaler 10 & 11.  

We won't be able to use at this time as it requires Splunk v 6.6 or higher, and unfortunately we are currently on 6.5.2.  So, maybe a different upgrade in store for us.

Anyway - wanted to share.

Thanks
Experts Exchange has (a) saved my job multiple times, (b) saved me hours, days, and even weeks of work, and often (c) makes me look like a superhero! This place is MAGIC!
Walt Forbes