- Apps and Add-ons
- :
- All Apps and Add-ons
- :
- Getting NetScaler Data In
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hello Splunkers,
We need to fetch events from Netscaler devices.
After investigation I found that Netscaler can be configured to send events in syslogs format.
I had read somewhere inorder to fetch such events it is better that we use one syslog server and install UF to monitor and send events written in syslog server.
However I saw their is an add-on named as "Splunk add-on for Netscaler Citrix", if we use this add on at our HF or indexer and Search Head, and send events directly from Netscaler device to indexer/HF, will it work effectively and will it be reliable?
Or do we need syslog server in any case (Installing UF on top of it on syslog server)???
And if we send events directly from Netscaler to Indexer, I guess we may not need UF anywhere (Does add on helps us here in any way)??
What should be approach here?
In documentation I saw we can install add on on UF as well but what is it for???
PS: I'm new with Netscaler aspects and quiet beginner with Splunk as well.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, heavy forwarders can receive data via UDP, but it is not advised. Data should be sent to a syslog server, instead.
You understand the recommended architecture: send syslog data to a dedicated syslog server (can be rsyslog or syslog-ng) and use a universal forwarder to send the data to Splunk. The UF can be replaced with a HF, but there is no good reason to do so.
A single syslog server (or 2, to have redundancy) is all that is needed to serve 5 appliances.
If you find it challenging to set up a syslog server, consider using Splunk Connect for Syslog. The SC4S application bundles syslog-ng in a Docker container and is pretty easy to deploy.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Yes, heavy forwarders can receive data via UDP, but it is not advised. Data should be sent to a syslog server, instead.
You understand the recommended architecture: send syslog data to a dedicated syslog server (can be rsyslog or syslog-ng) and use a universal forwarder to send the data to Splunk. The UF can be replaced with a HF, but there is no good reason to do so.
A single syslog server (or 2, to have redundancy) is all that is needed to serve 5 appliances.
If you find it challenging to set up a syslog server, consider using Splunk Connect for Syslog. The SC4S application bundles syslog-ng in a Docker container and is pretty easy to deploy.
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
One cannot send data directly from Citrix to an indexer. The data must go through syslog or a modular input. The Splunk Add-on for Netscaler Citrix handles either option. See the documentation at https://docs.splunk.com/Documentation/AddOns/released/CitrixNetScaler/Install
Install the add-on on a UF if you are using IPFIX input. Do not use UDP on a UF; send UDP to syslog.
Another option is to receive syslog from Citrix using Splunk Connect for Syslog (SC4S). See https://splunk-connect-for-syslog.readthedocs.io/en/master/
If this reply helps you, Karma would be appreciated.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Hi @richgalloway ,
Citrix Netscaler is getting enabled to send events using UDP.
We would hardly have 5 Netscaler appliances, setting up dedicated syslog server which would store events in file and monitoring those files by UF is what I understand a recommended way.
Just setting up syslos server for 5 appliances is what we would be concerned. Rest are all servers events where UF would be forwarding using TCP.
Is their any alternative way where we can send events (UDP) directly to HF?
Or is can this be done to install rsyslog and HF on same box to achieve it???
Welcome to the Splunk Community!
Tech Talk | Elevating Digital Service Excellence: The Synergy of Splunk RUM & APM
Adoption of RUM and APM at Splunk
