Citrix

Current Citrix package mainly covers NetScaler, which provides Scalable network infrastructure for high availability, performance, and security of datacenter, branch, cloud, and mobile services. ADC is an application delivery controller that provides flexible delivery services for traditional, containerized and microservice applications from data center or any cloud. AAA provides security for a distributed Internet environment by allowing any client with the proper credentials to connect securely to protected application servers from anywhere on the Internet.

Ref:

https://www.Citrix.co.in/products/

https://www.Citrix.com/products/NetScaler-adc/

https://www.carlstalhood.com/NetScaler-gateway-11-ssl-vpn/

Main Use Cases

Below are the main use cases for this packages:

Covered under Product package:

  • Citrix NetScaler SSL Certificate Expiry Imminent
  • Citrix NetScaler Bad Memory
  • Citrix NetScaler High Severity Events
  • Citrix NetScaler High Bandwidth Utilization Events
  • Citrix NetScaler System Restart Imminent

Covered under L1- Entity Monitoring - Indicators and Warnings package:

  • User Account Logon
  • User Account Logoff
  • User Account Logon Failure
  • User Account Brute Force Attempt

Covered under L2- Entity Monitoring - Situational Awarensess package

  • Privileged User Account Logoff
  • Privileged User Account Logon
  • Privileged User Account Logon Failure
Covered under L1- Host Monitoring - Indicators and Warnings package:

  • Service Stopped
  • Service Started
  • Service Failed
  • Host Started
  • Host Down
  • Host Crash

Covered under L2- Host Monitoring - Situational Awarensess package

  • Essential Service Down on Critical Host
  • Essential Service Started on Critical Host
  • Service Down on Critical Host
  • Service Started on Critical Host
  • Critical Host Crash
  • Critical Host extended Downtime
  • Critical Host Still Down
  • Essential Service Extended Downtime on Critical Host
  • Essential Service Still Down on Critical Host
  • Critical Host Down
  • Critical Host Started

Supported Log Sources (not for Product Packages)

Here are the log source types supported by this package as delivered:

Vendor Product Version(s) Comments
Citrix NetScaler    

Download Instructions

Package will be available in MarketPlace soon

Installation

Follow instruction to install the package.

Device Configuration

Cookbook configuration instruction for product packages

Configuration - Content Hooks for Product Package

Below filters needs to be configured for L1-Host Monitoring - Indicators and Warnings rules to trigger.

L1 Host Monitoring Filter URI in P- Citrix NetScaler Description

/All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Host Shutdown

Note: Product filters should be added to Use Case Rules with OR statements

  • /All Filters/ArcSight Activate/Core/Product Filters/Citrix/System Changes/Citrix NetScaler Stopped
    /All Filters/ArcSight Activate/Core/Product Filters/Citrix/System Changes/Citrix NetScaler Events for Device Down

This filter detects the system was shut down

/All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Host Started

Note: Product filters should be added to Use Case Rules with OR statements

  • /All Filters/ArcSight Activate/Core/Product Filters/Citrix/System Changes/Citrix NetScaler Events for Device Up
    /All Filters/ArcSight Activate/Core/Product Filters/Citrix/System Changes/Citrix NetScaler Started

This filter detects the system is up and operational

/All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Service Started

Note: Product filters should be added to Use Case Rules with OR statements

  • /All Filters/ArcSight Activate/Core/Product Filters/Citrix/System Changes/Citrix NetScaler Cache Flush Started
    /All Filters/ArcSight Activate/Core/Product Filters/Citrix/System Changes/Citrix NetScaler Events for Monitor Up

This filter detects the service is started

/All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Changes/Service Stopped

Note: Product filters should be added to Use Case Rules with OR statements

  • /All Filters/ArcSight Activate/Core/Product Filters/Citrix/System Changes/Citrix NetScaler Events for Monitor Down
    /All Filters/ArcSight Activate/Core/Product Filters/Citrix/System Changes/Citrix NetScaler Cache Flush Stopped

This filter detects the service is stopped
/All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Errors/Service Failed
  • /All Filters/ArcSight Activate/Core/Product Filters/Citrix/System Errors/Citrix NetScaler Event for DHCP Server Invalid Setting
This filter detects service fails due to invalid setting
/All Filters/ArcSight Activate/Solutions/Host Monitoring/Indicators and Warnings/System Errors/Host Crash
  • /All Filters/ArcSight Activate/Core/Product Filters/Citrix/System Errors/Citrix NetScaler Events for Device Out Of Service
This filter detects the system was out of service

Below filters needs to be configured for L1-Entity Monitoring - Indicators and Warnings rules to trigger
L1 Entity Monitoring Filter URI in P- Citrix NetScaler Description

/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon

Note: Product filters should be added to Use Case Rules with OR statements

  • /All Filters/ArcSight Activate/Core/Product Filters/Citrix/Entity Authentication/Citrix NetScaler AAA TM Login Events
    /All Filters/ArcSight Activate/Core/Product Filters/Citrix/Entity Authentication/Citrix NetScaler SSLVPN Login Events

This filter detects when User was authenticated and logged in successfully

/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logoff

Note: Product filters should be added to Use Case Rules with OR statements

  • /All Filters/ArcSight Activate/Core/Product Filters/Citrix/Entity Authentication/Citrix NetScaler AAA TM Logout Events
    /All Filters/ArcSight Activate/Core/Product Filters/Citrix/Entity Authentication/Citrix NetScaler SSLVPN Logout Events

This filter detects when User was logged out successfully

/All Filters/ArcSight Activate/Solutions/Entity Monitoring/Indicators and Warnings/Entity Authentication/User Account Logon Failure

Note: Product filters should be added to Use Case Rules with OR statements

  • /All Filters/ArcSight Activate/Core/Product Filters/Citrix/Entity Authentication/Citrix NetScaler Access Denied due to Policy Events
    /All Filters/ArcSight Activate/Core/Product Filters/Citrix/Entity Authentication/Citrix NetScaler Login Failure Events

This Filter Detects Login attempt failed

Resources

PCitrixResources contains resources for this product package.

Uninstallation

Follow instruction to uninstall the package.

Test Plan

PCitrixTestPlan provides the methodology for testing this package

Special Instructions for Editors

If the above link is not yet created, use the button here to create this page using the PackagesResourcesTemplate

Create New Resource Table

-- GeorgeBoitano - 26 Jan 2016
Topic attachments
I Attachment Action Size Date Who Comment
CitrixESMConverted.eventsevents CitrixESMConverted.events manage 52951.6 K 06 Sep 2019 - 23:58 YunPeng Replay events
Topic revision: r6 - 08 Oct 2019, YunPeng


 


Activate Wiki 2.1.0.0

This site is powered by FoswikiCopyright &© by the contributing authors. All material on this collaboration platform is the property of the contributing authors.
Ideas, requests, problems regarding Foswiki? Send feedback