Citrix NetScaler
To integrate Citrix NetScaler events with IBM QRadar, you must configure Citrix NetScaler to forward syslog events.
Procedure
- Using SSH, log in to your Citrix NetScaler device as a root user.
- Type the following command to add a remote syslog server:
add audit syslogAction <ActionName> <IP Address> -serverPort 514 -logLevel Info -dateFormat DDMMYYYY
Where:
<ActionName> is a descriptive name for the syslog server action.
<IP Address> is the IP address or host name of your QRadar Console.
Example:add audit syslogAction action-QRadar 192.0.2.1 -serverPort 514 -logLevel Info -dateFormat DDMMYYYY
- Type the following command to add an audit policy:
add audit syslogPolicy <PolicyName> <Rule> <ActionName>
Where:
<PolicyName> is a descriptive name for the syslog policy.
<Rule> is the rule or expression the policy uses. The only supported value is
ns_true
.<ActionName> is a descriptive name for the syslog server action.
Example:add audit syslogPolicy policy-QRadar ns_true action-QRadar
- Type the following command to bind the policy globally:
bind system global <PolicyName> -priority <Integer>
Where:
<PolicyName> is a descriptive name for the syslog policy.
<Integer> is a number value that is used to rank message priority for multiple policies that are communicating by using syslog.
Example:bind system global policy-QRadar -priority 30
When multiple policies have priority (represented by a number value that is assigned to them) the lower number value is evaluated before the higher number value.
- Type the following command to save the Citrix NetScaler configuration.
save config
- Type the following command to verify that the policy is saved in your
configuration:
sh system global
Note: For information on configuring syslog by using the Citrix NetScaler user interface, see http://support.citrix.com/article/CTX121728 or your vendor documentation.The configuration is complete. The log source is added to QRadar as Citrix NetScaler events are automatically discovered. Events that are forwarded by Citrix NetScaler are displayed on the Log Activity tab of QRadar.