Selective SSL logging

In a large deployment comprising thousands of virtual servers, all SSL-related information is logged. Earlier, filtering the client authentication and SSL handshake successes and failures for a few critical virtual servers was not easy. Perusing through the entire log to get this information was a time-consuming and tedious task because the infrastructure did not offer the control to filter the logs. Now, you can log SSL-related information inns.log, for a specific virtual server or for a group of virtual servers. This information is especially helpful in debugging failures. To log this information, you must add an SSL log profile.

See sample ns.log output for successful client authentication at the end of this page.

Important:Set the syslog log level to DEBUG. At the command prompt, type:

set audit syslogParams -logLevel DEBUG

SSL log profile

An SSL log profile provides control over logging the following events for a virtual server or a group of virtual servers:

• Client authentication success and failures, or only failures.

• SSL handshake success and failures, or only failures.

By default, all the parameters are disabled.

An SSL log profile can be set on an SSL profile, or on an SSL action. If set to an SSL profile, you can log both client authentication and SSL handshake success and failure information. If set to an SSL action, you can only log client authentication success and failure information because the handshake is complete before the policy is evaluated.

Client authentication and SSL handshake success and failures are logged even if you do not configure an SSL log profile. However, selective logging is possible only if an SSL log profile is used.

Note:

SSL log profile is supported in high availability and cluster setups.

Add an SSL log profile by using the CLI

At the command prompt, type:

add ssl logprofile  [-sslLogClAuth ( ENABLED | DISABLED )] [-ssllogClAuthFailures ( ENABLED | DISABLED )] [-sslLogHS ( ENABLED | DISABLED )] [-sslLogHSfailures ( ENABLED | DISABLED )] 

Parameters:

Name:

Name for the SSL log profile. Must begin with an ASCII alphanumeric or underscore (_) character, and must contain only ASCII alphanumeric, underscore, hash (#), period (.), space, colon (:), at (@), equals (=), and hyphen (-) characters. Cannot be changed after the profile is created.

Name is a mandatory argument. Maximum Length: 127

sslLogClAuth:

Log all client authentication events. Includes both success and failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

ssllogClAuthFailures:

Log all client authentication failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

sslLogHS:

Log all SSL handshake related events. Includes both success and failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

sslLogHSfailures:

Log all SSL handshake related failure events.

Possible values: ENABLED, DISABLED

Default value: DISABLED

Example:

>添加ssl logprofile ssllog10 -sslLogClAuth启用D -sslLogHS ENABLED Done sh ssllogprofile ssllog10 1) Name: ssllog10 SSL log ClientAuth [Success/Failures] : ENABLED SSL log ClientAuth [Failures] : DISABLED SSL log Handshake [Success/Failures] : ENABLED SSL log Handshake [Failures] : DISABLED Done 

Add an SSL log profile by using the GUI

Navigate toSystem > Profiles > SSL Log Profileand add a profile.

Modify an SSL log profile by using the CLI

At the command prompt type:

set ssl logprofile  [-sslLogClAuth ( ENABLED | DISABLED )][-ssllogClAuthFailures ( ENABLED | DISABLED )] [-sslLogHS ( ENABLED | DISABLED )] [-sslLogHSfailures ( ENABLED | DISABLED )] 

Example:

set ssllogprofile ssllog10 -ssllogClAuth en -ssllogClAuthFailures en -ssllogHS en -ssllogHSfailures en Done sh ssllogprofile ssllog10 1) Name: ssllog10 SSL log ClientAuth [Success/Failures] : ENABLED SSL log ClientAuth [Failures] : ENABLED SSL log Handshake [Success/Failures] : ENABLED SSL log Handshake [Failures] : ENABLED Done 

Modify an SSL log profile by using the GUI

1. Navigate toSystem > Profiles > SSL Log Profile, select a profile, and clickEdit.
2. Make changes and clickOK.

View all the SSL log profiles by using the CLI

At the command prompt, type:

sh ssl logprofile 

Example:

sh ssl logprofile 1)名称:ssllogp1 ssl客户机日志Auth [Success/Failures] : ENABLED SSL log ClientAuth [Failures] : ENABLED SSL log Handshake [Success/Failures] : DISABLED SSL log Handshake [Failures] : ENABLED 2) Name: ssllogp2 SSL log ClientAuth [Success/Failures] : DISABLED SSL log ClientAuth [Failures] : DISABLED SSL log Handshake [Success/Failures] : DISABLED SSL log Handshake [Failures] : DISABLED 3) Name: ssllogp3 SSL log ClientAuth [Success/Failures] : DISABLED SSL log ClientAuth [Failures] : DISABLED SSL log Handshake [Success/Failures] : DISABLED SSL log Handshake [Failures] : DISABLED 4) Name: ssllog10 SSL log ClientAuth [Success/Failures] : ENABLED SSL log ClientAuth [Failures] : ENABLED SSL log Handshake [Success/Failures] : ENABLED SSL log Handshake [Failures] : ENABLED Done 

View all the SSL log profiles by using the GUI

Navigate toSystem > Profiles > SSL Log Profile. All the profiles are listed.

将SSL日志配置文件to an SSL profile

You can attach (set) an SSL log profile on an SSL profile when you are creating an SSL profile, or later by editing the SSL profile. You can log both client authentication and handshake successes and failures.

Important:

The default SSL profile must be enabled before you can attach an SSL log profile.

将SSL日志配置文件on an SSL profile by using the CLI

At the command prompt, type:

set ssl profile  [-ssllogProfile ] 

Example:

set ssl profile fron_1 -ssllogProfile ssllog10 

将SSL日志配置文件to an SSL profile by using the GUI

1. Navigate toSystem > Profiles > SSL Profile.
2. ClickEditand inSSL日志配置文件, specify a profile.

将SSL日志配置文件to an SSL action

You can set an SSL log profile only while creating an SSL action. You cannot modify an SSL action to set the log profile. Associate the action to a policy. You can only log client authentication successes and failures.

将SSL日志配置文件to an SSL action by using the CLI

At the command prompt, type:

add ssl action  -clientAuth ( DOCLIENTAUTH | NOCLIENTAUTH ) -ssllogProfile  

Example:

> add ssl action act1 -clientAuth DoCLIENTAUTH -ssllogProfile ssllog10 Done > sh ssl action act1 1) Name: act1 Type: Client Authentication (DOCLIENTAUTH) Hits: 0 Undef Hits: 0 Action Reference Count: 0 SSLlogProfile: ssllog10 Done 

将SSL日志配置文件to an SSL action by using the GUI

1. Navigate toTraffic Management > SSL > Policiesand clickSSL Actions.
2. ClickAdd.
3. In Client Authentication, selectENABLED.
4. In SSL Log Profile, select a profile from the list, or click “+” to create a profile.
5. ClickCreate.

Sample output from the log file

The following is a sample log output fromns.logfor successful client authentication.

1月24日16:24:25 < local0.debug > 10.102.57.80 / 01/242019:10:54:25 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 158 0 : SPCBId 671 - ClientIP 10.102.1.98 - ClientPort 49451 - VserverServiceIP 10.102.57.82 - VserverServicePort 443 - ClientVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session New - CLIENT_AUTHENTICATED -SerialNumber "2A" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Sep 22 09:15:20 2008 GMT" - ValidTo "Feb 8 09:15:20 2036 GMT" - HandshakeTime 10 ms Jan 24 16:24:25  10.102.57.80 01/24/2019:10:54:25 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 159 0 : SPCBId 671 - IssuerName " C=IN,ST=KAR,O=Citrix R&D Pvt Ltd,CN=Citrix" Jan 24 16:24:25  10.102.57.80 01/24/2019:10:54:25 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 160 0 : SPCBId 671 - SubjectName " C=IN,ST=KAR,O=Citrix Pvt Ltd,OU=A,CN=B" Jan 24 16:24:25  10.102.57.80 01/24/2019:10:54:25 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUCCESS 161 0 : Backend SPCBId 674 - ServerIP 10.102.57.85 - ServerPort 443 - ProtocolVersion TLSv1.2 - CipherSuite "AES-256-CBC-SHA TLSv1.2 Non-Export 256-bit" - Session Reuse - SERVER_AUTHENTICATED -SerialNumber "3E" - SignatureAlgorithm "sha1WithRSAEncryption" - ValidFrom "Sep 24 06:40:37 2008 GMT" - ValidTo "Feb 10 06:40:37 2036 GMT" - HandshakeTime 1 ms Jan 24 16:24:25  10.102.57.80 01/24/2019:10:54:25 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_ISSUERNAME 162 0 : SPCBId 674 - IssuerName " C=IN,ST=KAR,O=Citrix Pvt Ltd" Jan 24 16:24:25  10.102.57.80 01/24/2019:10:54:25 GMT 0-PPE-0 : default SSLLOG SSL_HANDSHAKE_SUBJECTNAME 163 0 : SPCBId 674 - SubjectName " C=IN,ST=P,L=Q,O=R"