How to follow a session through NetScaler, to StoreFront to XenApp 6.5 published Applications.

We are moving to Netscaler 11.1 using StoreFront 3.15 with a backend of XenApp 6.5.

Trying to find the best way/documentation to understand the best way to follow a session.  It used to be use the Secure Gateway logs and the STA logs.  But with the new flow, having a hard time finding logs to follow a session from end to end.  Or, is this type of logging not on by default and needs to be enabled.  Any help is appreciated.

It will help once I get logging into Splunk for the NetScaler and StoreFront, but as noted until I know what logs are useful and how to get them there, this isn't going to help me.

Once we get this working, will need to complete our new XenApp 7.15 and provision endpoints there from NetScaler and Storefront, so really would like to get a handle on the flow now.

Thanks in advance.
jnordengAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Sam JacobsDirector of Technology Development, IPMCommented:
The NetScaler generates SYSLOG records that you can use to trace a session.
While there are MANY records generated, the ones you are interested in are LOGIN, LOGOUT, LOGIN_FAILED, ICASTART, and ICAEND.
You can either look at them on the NetScaler itself, or send them to Splunk and view them there.
Another very useful tool for debugging is the aaad.debug daemon on the NetScaler, which will give you very detailed logs - in real time! - of user logins. You can see it in action by starting a PuTTY session to the management IP (NSIP) of the primary NetScaler, then shelling out and starting the daemon:
> shell
> cat /tmp/aaad.debug

Open in new window

Stop the daemon by pressing CTRL-C.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
jnordengAuthor Commented:
Awe, good information Sam.  So sounds like you shared exactly what I need for the info.  I'll do some checking and see if I can follow a session.  

Now to get them into Splunk. :)  There is a lot to these for sure :)
Sam JacobsDirector of Technology Development, IPMCommented:
For clients that don't want to invest in Splunk, I recommend purchasing a copy of Kiwi Syslog Server (all of $300), and then importing the five record types above into Kiwi. I then parse the records and send the information to SQL. I can then slice and dice historical information (who logged on - and who failed logging on, when, for how long, what applications were launched, etc).
jnordengAuthor Commented:
Good to know and put on the post.  We already have Splunk in place, so I just have to figure out what to do on the Netscaler's to get the logs into it. :)  And yup, we also have Kiwi :)  I think that is how they are doing the F5 logs currently is dumping them to the log server and then putting it in Splunk from there.  Thought was to do something similar, just a matter of what to do to make it happen.  All new to us, our first Netscaler's ;)
Sam JacobsDirector of Technology Development, IPMCommented:
Good luck ... post back if you have any questions on NetScaler or Kiwi (sorry, can't help with Splunk :)
jnordengAuthor Commented:
I do have a question :)  The aaad.debug through putty works like a charm. :)  As far as the syslogs, where is the best place on the Netscaler to actually see these?

Thanks
Sam JacobsDirector of Technology Development, IPMCommented:
/var/log/ns.log
Sam JacobsDirector of Technology Development, IPMCommented:
You can also go through the GUI:
System | Auditing under Audit messages, click System Log.
jnordengAuthor Commented:
Perfect, thanks.
jnordengAuthor Commented:
Just throwing this on here, so I did follow the process under Audit to setup Syslog and pointed it to our log server.  This is a Windows box.  My question is is Netscaler actually pushing files and if so, how does it know where to drop them?  Or is the Syslog server supposed to pull the logs?  I'm not finding any connection from the Netscaler to the log server nor do I find any of the files generated from the Netscaler on the log server.

Looking for more in depth explanation and configuration around this.  

Any insight?

Thanks in advance.
Sam JacobsDirector of Technology Development, IPMCommented:
The NetScaler pushes the syslog records. You should be entering the IP address of your syslog server in the auditing settings. I'm driving now, but I could send you some screenshots when I get to my PC.
jnordengAuthor Commented:
Ok, thanks.  Yes, I was putting in the IP of the syslog server, so was thinking there should be more defined here so it knows where to put them on the Syslog server.

Thanks
Jennifer
Sam JacobsDirector of Technology Development, IPMCommented:
All you specify is the server IP, port, and the log levels.syslog-settings.jpg
jnordengAuthor Commented:
Ok thanks, this is how I have it set.  Guessing there is either a communication issue over this port (checking that) or something on the logging server is expecting something else.  If I may ask, is your logging server Linux or Windows?  How does it know where to actually place your log files?

Thanks
Jennifer
Sam JacobsDirector of Technology Development, IPMCommented:
I use Kiwi on Windows (not sure if they have a Linux version).
When you install Kiwi, you set up the destination for the log files.
I actually have multiple log files - one to capture all messages (for debugging purposes), and another set upto filter out only the 5 record types above.
As long as the syslog server is listening on the specified port (default is 514) and not blocked by a firewall, you should be ok.
If you'd like, I can dig up a very simple syslog server program I wrote a few years ago for syslog testing that can be run on any Windows box (even a desktop).
jnordengAuthor Commented:
Just wanted to add a comment here for others searching for a solution.  While trying to get this going did a bit more reading and Splunk has a plug-in for Netscaler's as well, https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/Install for Netscaler 10 & 11.  

We won't be able to use at this time as it requires Splunk v 6.6 or higher, and unfortunately we are currently on 6.5.2.  So, maybe a different upgrade in store for us.

Anyway - wanted to share.

Thanks
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
NetScaler

From novice to tech pro — start learning today.