Queries help - CITRIX ADC logs

corti77 · ‎09-24-2021

Hi,

recently I deploy the Splunk connect for Syslog in docker and my first candidate to use it was our Citrix ADC VPX. Following the instructions here https://splunk.github.io/splunk-connect-for-syslog/main/sources/Citrix/ I see the logs correctly flowing into splunk. now it is time to take some useful alerts out of it.

I thought about something very basic to start with:

- Detect when a failover between the two Citrix happens.

- Detect when a virtual server is UP but a node of the load balancing group got down

- Detect when a virtual server is completely down, all nodes got down.

I am diving in the events trying to get some meaning out of them without much luck. so far I identified few fields but nothing that makes much sense.

Has someone any additional information regarding the logs that I could reuse somehow? maybe some queries on which I could based on ?

Thanks a lot.

corti77 · ‎09-24-2021

after trying a lot, I ended up with a query that triggers whenever a failover happens in HA and the node which went DOWN gets UP back again.

index=netfw app=EVENT (event_name=DEVICEUP OR event_name=DEVICEDOWN) server_svc_internal | sort - _time,event_id | head 1 | search event_name=DEVICEUP

Queries help - CITRIX ADC logs

field extraction

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!

Are you a member of the Splunk Community?

Queries help - CITRIX ADC logs

field extraction

October Community Champions: A Shoutout to Our Contributors!

Community Content Calendar, November Edition

Stay Connected: Your Guide to November Tech Talks, Office Hours, and Webinars!