All Apps and Add-ons

Are there any special settings to enable on a citrix netscaler device?


We have set up UDP inputs for syslog data on splunk indexers. We have set up a load balancing pool on a citrix netscaler to forward data to splunk. We are getting messages in splunk from the devices, but they all say "UDP Data" and nothing else.

This is consistent for all devices we are trying to forward via the netscaler. I'm assuming it is a persistence setting or something on the netscaler, but am not sure. Data sent directly to splunk is actual syslog data, is indexed properly and is successfully in searches.

I realize that this is not necessarily an issue with Splunk but I'm hopeful that one of the many Admins out there has worked with these devices before and can provide some helpful advice.


Tags (1)


We were seeing the same problem with NetScaler NS9.2: Build - however we discovered that sending the syslog events to Splunk via the internal interface on the Netscaler resulted in garbled events, however sending via the external interface resulted in sweet, sweet syslog love...

All the best,

Luke 🙂

0 Karma



I'm an SE at Citrix, specialist on NetScaler.
Could you post your NS config and a schema of what you want to do (clients, Vserver, servers)

Thanks in advance



Get Updates on the Splunk Community!

Improve Your Security Posture

Watch NowImprove Your Security PostureCustomers are at the center of everything we do at Splunk and security ...

Maximize the Value from Microsoft Defender with Splunk

 Watch NowJoin Splunk and Sens Consulting for this Security Edition Tech TalkWho should attend:  Security ...

This Week's Community Digest - Splunk Community Happenings [6.27.22]

Get the latest news and updates from the Splunk Community here! News From Splunk Answers ✍️ Splunk Answers is ...