Contact Support
  • Open or view cases
  • Chat live
  • Site feedback
Sign in
Contact Support
  • Open or view cases
  • Chat live
  • Site feedback

Customers who viewed this article also viewed

{{item.title}}
banner
CTX136146 {{tooltipText}}

Common Event Format (CEF) Logging Support in the Application Firewall

Article | 配置 | {{likeCount}} found this helpful| Created: {{articleFormattedCreatedDate}} | Modified: {{articleFormattedModifiedDate}}
downloadWhy can't I download this file? Log in to Verify Download Permissions

Applicable Products

  • NetScaler10.0

Information

This article contains information about the Common Event Format (CEF) logging support in the Application Firewall.

Requirements

The CEF format for the Application Firewall requires NetScaler software release 10 and later.

Background

The CEF is an open log management standard that improves the interoperability of security-related information from different security and network devices and applications. CEF enables customers to use a common event log format so that data can easily be collected and aggregated for analysis by an enterprise management system.

Enabling CEF logging on a NetScaler Application Firewall Appliance

The Citrix NetScaler appfw allows the user to enable the CEF Logging from Graphical User Interface (GUI) as well as from the command line interface. The CEF Logging is disabled by default.

Command: 
set appfw settings CEFLogging on

In GUI, you can enable this parameter from the engine settings dialogue.

Analyzing the CEF Log Message

The Appfw CEF Log messages contain the following details:

  • src – source ip address
  • spt – source port #
  • request – request URL
  • act – action (e.g. blocked)
  • msg – message
  • cn1 – event ID
  • cn2 – HTTP Transaction ID
  • cs1 – profile name
  • cs2 – PPE ID (e.g. PPE1)
  • cs3 - Session ID
  • cs4 – Severity (e.g. INFO)
  • cs5 – event year
  • method-Method (e.g GET/POST)

For example, consider the following Log message which was generated when a Start URL violation was triggered:

Dec 18 20:37:08  10.217.31.247 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=10.217.253.78 spt=53743 method=GET request=http://vpx247.example.net/FFC/login.html msg=Disallow Illegal URL. cn1=233 cn2=205 cs1=profile1 cs2=PPE0 cs3=AjSZM26h2M+xL809pON6C8joebUA000 cs4=ALERT cs5=2012 act=blocked

The preceding message can be broken down in the following components:

Message

Description

18-Dec

Date

20:37:38

Current time

10.217.31.247

IP Address of the VIP that received the request

CEF:0

Log format

Citrix

Company name

NetScaler

Appliance

NS10.0

Version

APPFW

Module

APPFW_STARTURL

Security Check violation

6

Severity

src=10.217.253.78

Request was received from Client IP 10.217.253.78

spt=53743

Source port # was 53743

method=GET

The request was a "GET" request

request=http://vpx247.
example.net/FFC/login.html

The Requested URL was "http://vpx247.
example.net/FFC/login.html "

msg=Disallow Illegal URL

The Violation Log message generated by appfw

cn1=233

Event ID was 233

cn2=205

HTTP Transaction ID was 205

cs1=profile1

The request was processed by "profile1"

cs2=PPE0

The request was processed by PPE0

cs3=AjSZM26h2M+
xL809pON6C8joebUA000

Appfw sessionID was "AjSZM26h2M
+xL809pON6C8joebUA000"

cs4=ALERT

String representation of the severity level (6)

cs5=2012

Current year is 2012

act=blocked

The action taken by appfw was to "Block" the request

Examples of Application Firewall Security Check Violation Log Messages

The following examples show Request side Check, Response side check as well as Signature Check Violations in CEF Log format:

  • Start URL Violation

    Dec 18 21:46:17  10.217.31.247 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=10.217.253.78 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked

  • 信用卡违规

    Dec 19 00:38:09  10.217.31.247 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SAFECOMMERCE_XFORM|6|src=10.217.253.78 spt=56116 method=GET request=http://vpx247.example.net/FFC/CreditCardMind.html msg= Transformed (xout) potential credit card numbers seen in server response cn1=652 cn2=610 cs1=pr_ffc cs2=PPE0 cs3=li8MdGfW49uG8tGdSV85ech41a0A000 cs4=ALERT cs5=2012 act=transformed Dec 19 00:38:09  10.217.31.247 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_SAFECOMMERCE|6|src=10.217.253.78 spt=56116 method=GET request=http://vpx247.example.net/FFC/CreditCardMind.html msg= Maximum no. of potential credit card numbers seen cn1=653 cn2=610 cs1=pr_ffc cs2=PPE0 cs3=li8MdGfW49uG8tGdSV85ech41a0A000 cs4=ALERT cs5=2012 act=transformed

  • Signature Violation

    12月19日01:07:56 < local0.info > 10.217.31.247 CEF: 0 |Citrix|NetScaler|NS10.0|APPFW|APPFW_SIGNATURE_MATCH|6|src=10.217.253.78 spt=56687 method=GET request=http://vpx247.example.net/FFC/wwwboard/passwd.txt msg= Signature violation rule ID 807: web-cgi /wwwboard/passwd.txt access cn1=224 cn2=205 cs1=pr_ffc cs2=PPE0 cs3=POousP7CIMW5nwZ5Rs4nq5DND0sA000 cs4=ALERT cs5=2012 act=not blocked

Note:Refer to the Citrix eDocs for more information related to CEF logging.

You rated this page as
You rated this page as
Name is required
Submit

有限元分析tured Products

Failed to load featured products content, Pleasetry again.

{{ getHeading('digitalWorkspaces') }}

{{ getHeading('networking') }}
View support numbers
Share this page