Nagios Support Forum

Support for Nagios products and services
https://support.nagios.com/forum/

does Log Server support Netscaler ?

https://support.nagios.com/forum/viewtopic.php?t=45463

Page 2 of 2

Re: does Log Server support Netscaler ?

Posted: Wed Sep 20, 2017 10:27 am
by cdienger
Edit the input entry to look like:

Code: Select all

syslog {
    type => "netscaler"
    port => "5560"
}
and then add a filter:

Code: Select all

if [type] == 'netscaler'{
grok {
                                break_on_match => true
                                match => [
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:vserver_ip}:%{POSINT:vserver_port} - %{DATA} %{IP:nat_ip}:%{POSINT:nat_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:DELINK_DATE}:%{TIME:DELINK_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{IP:source_ip}:%{POSINT:source_port} - %{DATA} %{IP:destination_ip}:%{POSINT:destination_port} - %{DATA} %{DATE_US:START_DATE}:%{TIME:START_TIME} GMT - %{DATA} %{DATE_US:END_DATE}:%{TIME:END_TIME} GMT - %{DATA} %{POSINT:total_bytes_sent} - %{DATA} %{POSINT:total_bytes_recv}",
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message} : %{DATA} %{INT:netscaler_spcbid} - %{DATA} %{IP:clientip} - %{DATA} %{INT:netscaler_client_port} - %{DATA} %{IP:netscaler_vserver_ip} - %{DATA} %{INT:netscaler_vserver_port} %{GREEDYDATA:netscaler_message} - %{DATA} %{WORD:netscaler_session_type}",
                                        "message", "<%{POSINT:syslog_pri}> %{DATE_US}:%{TIME} GMT %{SYSLOGHOST:syslog_hostname} %{GREEDYDATA:netscaler_message}"
                                ]
                        }
}
This should take care of the verify problem and work better for filtering the netscaler messages. Just point the netscaler to send logs on port 5560 to NLS.

Re: does Log Server support Netscaler ?

Posted: Wed Sep 20, 2017 11:24 am
by gornm565
I did that, verified and applied configuration. I am seeing all the "events" show up with tag _grokparsefailure_sysloginput
What am I doing wrong?

Re: does Log Server support Netscaler ?

Posted: Wed Sep 20, 2017 2:46 pm
by mcapra
You might try switching from the syslog input plugin to something like tcp:

Code: Select all

tcp {
    type => "netscaler"
    port => "5560"
}

Re: does Log Server support Netscaler ?

Posted: Wed Sep 20, 2017 3:04 pm
by gornm565
Shouldn't it be udp then? I think udp is the default for syslog.
mcapra wrote:You might try switching from the syslog input plugin to something like tcp:

Code: Select all

tcp {
    type => "netscaler"
    port => "5560"
}

Re: does Log Server support Netscaler ?

Posted: Wed Sep 20, 2017 5:05 pm
by tmcdonald
Typically yes, syslog is sent over UDP. But I have found some documentation that seems to suggest NetScaler devices may be sending over TCP - http://docs.citrix.com/en-us/netscaler/ ... yslog.html

Give it a shot, and if it does not work we can keep troubleshooting.
All times are UTC-05:00
Page 2 of 2

Powered by phpBB® Forum Software © phpBB Limited