All Apps and Add-ons

Getting NetScaler Data In

hectorvp
Communicator

Hello Splunkers,

We need to fetch events from Netscaler devices.

After investigation I found that Netscaler can be configured to send events in syslogs format.

I had read somewhere inorder to fetch such events it is better that we use one syslog server and install UF to monitor and send events written in syslog server.

However I saw their is an add-on named as "Splunk add-on for Netscaler Citrix", if we use this add on at our HF or indexer and Search Head, and send events directly from Netscaler device to indexer/HF, will it work effectively and will it be reliable?

Or do we need syslog server in any case (Installing UF on top of it on syslog server)???

And if we send events directly from Netscaler to Indexer, I guess we may not need UF anywhere (Does add on helps us here in any way)??

What should be approach here?

In documentation I saw we can install add on on UF as well but what is it for???

PS: I'm new with Netscaler aspects and quiet beginner with Splunk as well.

1 Solution

richgalloway
SplunkTrust
SplunkTrust

Yes, heavy forwarders can receive data via UDP, but it is not advised.  Data should be sent to a syslog server, instead.

You understand the recommended architecture: send syslog data to a dedicated syslog server (can be rsyslog or syslog-ng) and use a universal forwarder to send the data to Splunk.  The UF can be replaced with a HF, but there is no good reason to do so.

A single syslog server (or 2, to have redundancy) is all that is needed to serve 5 appliances.

If you find it challenging to set up a syslog server, consider using Splunk Connect for Syslog.  The SC4S application bundles syslog-ng in a Docker container and is pretty easy to deploy.

---
If this reply helps you, Karma would be appreciated.

View solution in original post

richgalloway
SplunkTrust
SplunkTrust

Yes, heavy forwarders can receive data via UDP, but it is not advised.  Data should be sent to a syslog server, instead.

You understand the recommended architecture: send syslog data to a dedicated syslog server (can be rsyslog or syslog-ng) and use a universal forwarder to send the data to Splunk.  The UF can be replaced with a HF, but there is no good reason to do so.

A single syslog server (or 2, to have redundancy) is all that is needed to serve 5 appliances.

If you find it challenging to set up a syslog server, consider using Splunk Connect for Syslog.  The SC4S application bundles syslog-ng in a Docker container and is pretty easy to deploy.

---
If this reply helps you, Karma would be appreciated.

richgalloway
SplunkTrust
SplunkTrust

One cannot send data directly from Citrix to an indexer.  The data must go through syslog or a modular input.  The Splunk Add-on for Netscaler Citrix handles either option.  See the documentation at https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/Install

Install the add-on on a UF if you are using IPFIX input.  Do not use UDP on a UF; send UDP to syslog.

Another option is to receive syslog from Citrix using Splunk Connect for Syslog (SC4S).  See https://splunk-connect-for-syslog.readthedocs.io/en/master/

---
If this reply helps you, Karma would be appreciated.

hectorvp
Communicator

Hi @richgalloway ,

Citrix Netscaler is getting enabled to send events using UDP.

We would hardly have 5 Netscaler appliances, setting up dedicated syslog server which would store events in file and monitoring those files by UF is what I understand a recommended way.

Just setting up syslos server for 5 appliances is what we would be concerned. Rest are all servers events where UF would be forwarding using TCP.

 

Is their any alternative way where we can send events (UDP) directly to HF?

 

Or is can this be done to install rsyslog and HF on same box to achieve it???

 

0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...