Hi,
recently I deploy the Splunk connect for Syslog in docker and my first candidate to use it was our Citrix ADC VPX. Following the instructions here https://splunk.github.io/splunk-connect-for-syslog/main/sources/Citrix/ I see the logs correctly flowing into splunk. now it is time to take some useful alerts out of it.
I thought about something very basic to start with:
- Detect when a failover between the two Citrix happens.
- Detect when a virtual server is UP but a node of the load balancing group got down
- Detect when a virtual server is completely down, all nodes got down.
I am diving in the events trying to get some meaning out of them without much luck. so far I identified few fields but nothing that makes much sense.
Has someone any additional information regarding the logs that I could reuse somehow? maybe some queries on which I could based on ?
Thanks a lot.
after trying a lot, I ended up with a query that triggers whenever a failover happens in HA and the node which went DOWN gets UP back again.
index=netfw app=EVENT (event_name=DEVICEUP OR event_name=DEVICEDOWN) server_svc_internal | sort - _time,event_id | head 1 | search event_name=DEVICEUP