Configure Citrix NetScaler to send logs to Arctic Wolf

You can configure Citrix NetScaler® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • An activated Arctic Wolf Sensor
  • Access to the NetScaler GUI with administrator permissions

Create an auditing server

  1. Sign in to NetScaler.
  2. Navigate to Configuration > System > Auditing > Syslog.
  3. Click the Servers tab.
  4. Click Add.
  5. On the Create Auditing Server page, configure these settings:
    • Name — Enter a name for the server that corresponds with the Arctic Wolf Sensor name.
    • Server Type — Select Server IP.
    • IP Address — Enter the Arctic Wolf Sensor IP address.
    • Port — Enter 514.
    • Log Levels — Select Custom, and then select Emergency, Informational, Alert, Warning, Critical, and Notice.
    • Log Facility — Select LOCAL0.
    • Date Format — Select YYYYMMDD.
    • TCP Logging — Select the checkbox.
    • ACL Logging — Select the checkbox.
    • AppFlow Logging — Select the checkbox.
    • DNS — Select the checkbox.
    • URL Filtering — Select the checkbox.
    • Content Inspection Logging — Select the checkbox.
    • Transport Type — Select UDP from the list.
    • Management Logs — Select All.
    • Management Log Levels — Select All.
  6. Click Create.

Create an auditing syslog policy

  1. Sign in to NetScaler.
  2. Navigate to Configuration > System > Auditing > Syslog.
  3. Click the Policies tab.
  4. Click Add.
  5. On the Create Auditing Syslog Policy page, configure these settings:
  6. Click Create.

Bind the auditing syslog policy

  1. Sign in to NetScaler.
  2. Navigate to Configuration > System > Auditing > Syslog.
  3. Click the Policies tab.
  4. Select the policy that you created in Create an auditing syslog policy.
  5. Click Select Action, and then select Advanced Policy Global Bindings or Classic Policy Global Bindings based on the Expression Type that you chose in Create an auditing syslog policy.
  6. On the Auditing Syslog Advanced Policy Global Binding page, configure these settings:
    • Select Policy — Select the policy that you created in Create an auditing syslog policy, and then click Add.
    • Priority — Enter 100.
    • Global Bind Type — Select SYSTEM_GLOBAL.
  7. Click Bind.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.