Getting Data In

windows citrix

genesiusj
Builder

Hello,
At the moment, don't have access to the Citrix logs; only Windows Logs (Sec/App/Sys). Does anyone know how I can use these events to figure out how many users log in to the Citrix environment? In the attached screenshot is the first 20 or so events that occur during a connection to the Citrix server. I don't understand why there are 6 sets of logons/logoffs (Logon_Type=8) before the user is able to select and app/rdp from their landing page (Logon_Type=10). Is this normal behavior? Login Procedure

Thanks and God bless,
Genesius

0 Karma
1 Solution

wyfwa4
Communicator

I suspect there is more going on in your logs than a simple Citrix logon. On my Citrix servers, I see three basic events per logon

4648 A logon was attempted using explicit credentials
4624 An account was successfully logged on
4627 Group Membership information

The logon type is 10 and all three events are linked by the the same user name in the field "TargetUserName". Logon Type 8 is never used for a direct RDP/ICA logon, but can often relate to IIS basic authentication. So it is possible (just a guess) that you are seeing events from the Citrix web interface. So users will logon to the CWI first and then enumerate apps and only when they have selected an app, be directed to their target Citrix server. If you can filter out these possible CWI logons, it may make the process simpler to understand.

Personally I find tracking Citrix sessions via windows logs to be too complex and CPU intensive - you generally have to use the transaction command to combine all of these events which can be very slow and sessions can last for hours, meaning the transaction cover unlimited time spans. So I user two other methods to track this data. You don't mention if you are running a forwarder on the server or you have the ability to collect additional data, but if you are, these may help.

1) User perfmon to collect Citrix specific counters - there is one counter you can use to get the overall number of active/disconnected sessions. This only gives the overall numbers, not per user info.

[perfmon://citrix-tssessions]
counters = Active Sessions;Inactive Sessions;Total Sessions
object = Terminal Services

2) Use a scripted input to run the command "qwinsta" on the end server. This will give you a list of all active sessions including user names. I run this on a scheduled basis (for example every 5 mins) and then I can track sessions for each user very easily.

View solution in original post

0 Karma

genesiusj
Builder

@wyfwa4
I don't have a lot of points to reward people, but this solution with perfmon was perfect. This was for our CTO, and we were not getting much direction from our Citrix Admins. Not for any other reason than lack of knowledge. Our dashboard numbers now jive with Citrix Studio.

Thanks and God bless,
Genesius

PS Stay safe and healthy, you and yours.

0 Karma

genesiusj
Builder

@wyfwa4
I have a quick follow up question.
Where did you get those perfmon parameters for the agent?
I Googled "citrix-tssessions perfmon" and had zero results.
Did you install the Citrix Addon/App and pull the perfmon from there?
If so, we might do this with different splunkbase apps to get a heads up on what changes can be made on our agents.
Thanks in advance, and God bless.
Stay safe and healthy, you and yours.
Genesius

0 Karma

wyfwa4
Communicator

The name in the stanza is just my own name to identify the data collection. The reference to perfmon counters is defined in the "counters" and "object" fields under the stanza. I am only using standard counters that are available on Windows - to get a list on a particular server, run the following command in a command window - "typeperf -q". You will see if you run this on a Citrix server, you get more counters than would exist on a plain Windows servers

So if I take two example

[perfmon://citrix-userCPU]
counters = CPU Entitlement; CPU Reservation; CPU Shares; CPU Usage; Long-term CPU Usage
instances = *
interval = 60
object = Citrix CPU Utilization Mgmt User
useEnglishOnly=true
mode = multikv
showZeroValue = 1

[perfmon://citrix-tssessions]
counters = Active Sessions;Inactive Sessions;Total Sessions
instances = *
interval = 60
object = Terminal Services
useEnglishOnly=true
mode = multikv
showZeroValue = 1   

Each perfmon stanza must be in the following format -

[perfmon://]
Where is your own personal name.

In the first stanza, the specific perfmon counter is "Citrix CPU Utilization Mgmt User" - this comes from Xenapp (https://blog.citrix24.com/xenapp-6-5-performance-counters/)
In the second stanza, the specific perfmon counter is "Terminal Services" - This is a standard terminal services counter - available on any Windows server using terminal services.

I got all of these names by running the typeperf command or looking at the perfmon tool on a server. Any perfmon counter you can collect using native perfmon, you can collect via the Splunk.

For example if I run the typeperf command and got the following output for the terminal services object -

\Terminal Services\Total Sessions
\Terminal Services\Inactive Sessions
\Terminal Services\Active Sessions

You can see in my second staza above, I am listing these counters under the "Terminal Services" object, I have listed all three, but you can decide which specific counters you actually want to collect.

counters = Active Sessions;Inactive Sessions;Total Sessions

Finally there is the "instances" field - this just defines whether you collect from a named instance or wildcard (i.e. all instances). In the context of Citrix/TS, we want to collect data from all sessions, so just use the wildcard instance. If you were collecting CPU data, you might just specify the "_total" instance rather than collect CPU data for all individual cores.

0 Karma

wyfwa4
Communicator

I suspect there is more going on in your logs than a simple Citrix logon. On my Citrix servers, I see three basic events per logon

4648 A logon was attempted using explicit credentials
4624 An account was successfully logged on
4627 Group Membership information

The logon type is 10 and all three events are linked by the the same user name in the field "TargetUserName". Logon Type 8 is never used for a direct RDP/ICA logon, but can often relate to IIS basic authentication. So it is possible (just a guess) that you are seeing events from the Citrix web interface. So users will logon to the CWI first and then enumerate apps and only when they have selected an app, be directed to their target Citrix server. If you can filter out these possible CWI logons, it may make the process simpler to understand.

Personally I find tracking Citrix sessions via windows logs to be too complex and CPU intensive - you generally have to use the transaction command to combine all of these events which can be very slow and sessions can last for hours, meaning the transaction cover unlimited time spans. So I user two other methods to track this data. You don't mention if you are running a forwarder on the server or you have the ability to collect additional data, but if you are, these may help.

1) User perfmon to collect Citrix specific counters - there is one counter you can use to get the overall number of active/disconnected sessions. This only gives the overall numbers, not per user info.

[perfmon://citrix-tssessions]
counters = Active Sessions;Inactive Sessions;Total Sessions
object = Terminal Services

2) Use a scripted input to run the command "qwinsta" on the end server. This will give you a list of all active sessions including user names. I run this on a scheduled basis (for example every 5 mins) and then I can track sessions for each user very easily.

0 Karma
Get Updates on the Splunk Community!

New Cloud Intrusion Detection System Add-on for Splunk

In July 2022 Splunk released the Cloud IDS add-on which expanded Splunk capabilities in security and data ...

Happy CX Day to our Community Superheroes!

Happy 10th Birthday CX Day!What is CX Day? It’s a global celebration recognizing innovation and success in the ...

Check out This Month’s Brand new Splunk Lantern Articles

Splunk Lantern is a customer success center providing advice from Splunk experts on valuable data insights, ...