-
Notifications
You must be signed in to change notification settings - Fork 510
Citrix adc update documentation #15824
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Open
jrmolin
wants to merge
10
commits into
elastic:main
Choose a base branch
from
jrmolin:citrix_adc-update_documentation
base: main
Could not load branches
Branch not found: {{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline,
and old review comments may become outdated.
+824
−613
Open
Changes from all commits
Commits
Show all changes
10 commits
Select commit
Hold shift + click to select a range
30f89e7
remove the keyword field from the pipeline. it should not be used for…
jrmolin d8eb47e
Merge branch 'main' of github.com:elastic/integrations
jrmolin 35050a4
Merge branch 'main' of github.com:elastic/integrations
jrmolin c702b6d
Merge branch 'main' of github.com:elastic/integrations
jrmolin 3442f57
Merge branch 'main' of github.com:elastic/integrations
jrmolin e8d6d10
Merge branch 'main' of github.com:elastic/integrations
jrmolin a3d076e
Merge branch 'main' of github.com:elastic/integrations
jrmolin 14a9d6f
get in line
jrmolin b04605e
elastic-package update documentation
jrmolin bf15770
fix an incorrect kibana version minimum
jrmolin File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,166 +1,180 @@ | ||
| # Citrix ADC Integration | ||
|
|
||
| ## Overview | ||
|
|
||
| The Citrix ADC integration allows you to monitor your Citrix ADC instance. Citrix ADC is an application delivery controller that performs application-specific traffic analysis to intelligently distribute, optimize, and secure Layer 4 - Layer 7 (L4–L7) network traffic for web applications. | ||
|
|
||
| The Citrix Web App Firewall prevents security breaches, data loss, and possible unauthorized modifications to websites that access sensitive business or customer information. It does so by filtering both requests and responses, examining them for evidence of malicious activity, and blocking requests that exhibit such activity. Your site is protected not only from common types of attacks, but also from new, as yet unknown attacks. In addition to protecting web servers and websites from unauthorized access, the Web App Firewall protects against vulnerabilities in legacy CGI code or scripts, web frameworks, web server software, and other underlying operating systems. | ||
|
|
||
| Use the Citrix ADC integration to: | ||
|
|
||
| Collect metrics related to the interface, lbvserver, service, system, vpn and logs. | ||
| Create visualizations to monitor, measure and analyze the usage trend and key data, and derive business insights. | ||
| Create alerts to reduce the MTTD and also the MTTR by referencing relevant logs when troubleshooting an issue. | ||
|
|
||
| As an example, you can use the data from this integration to understand the load of the virtual servers, client-server connections, requests and responses across the Citrix ADC. | ||
|
|
||
| ## Data streams | ||
|
|
||
| The Citrix ADC integration collects metrics data. | ||
|
|
||
| Metrics give you insight into the statistics of the Citrix ADC. Metrics data streams collected by the Citrix ADC integration include [interface](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/network/interface/), [lbvserver](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/lb/lbvserver/), [service](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/basic/service/), [system](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/system/system/) and [vpn](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/vpn/vpn/), so that the user could monitor and troubleshoot the performance of the Citrix ADC instances. | ||
|
|
||
| **Log** is used to retrieve Citrix Netscaler logs. See more details in the documentation [here](https://developer-docs.netscaler.com/en-us/netscaler-syslog-message-reference/current-release). | ||
|
|
||
| **NOTE:** You can monitor metrics and logs inside the ingested documents for Citrix ADC in the `logs-*` index pattern from `Discover`. | ||
|
|
||
| ## Compatibility | ||
|
|
||
| This integration has been tested against Citrix ADC `v13.0`, `v13.1` and `v14.1`. | ||
|
|
||
| ## Requirements | ||
|
|
||
| Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). | ||
|
|
||
| The minimum **Kibana version** required is **8.12.0**. | ||
|
|
||
| You need Elasticsearch for storing and searching your data and Kibana for visualizing and managing it. You can use our hosted Elasticsearch Service on Elastic Cloud, which is recommended, or self-manage the Elastic Stack on your own hardware. | ||
|
|
||
| To ingest data from Citrix ADC, you must know the host(s) and the administrator credentials for the Citrix ADC instance. | ||
|
|
||
| Host Configuration Format: `http[s]://<hostname>:<port>` | ||
| Example Host Configuration: `http://example.com:9090` | ||
|
|
||
| ## Setup | ||
|
|
||
| For step-by-step instructions on how to set up an integration, check the [quick start](integrations://docs/extend/quick-start.md). | ||
|
|
||
| **NOTE:** It is recommended to configure the application firewall to enable CEF-formatted logs. | ||
|
|
||
| ### Configure CEF format | ||
|
|
||
| 1. Navigate to **Security** the NetScaler GUI. | ||
| 2. Click **Application Firewall** node. | ||
| 3. Select Change Engine Settings. | ||
| 4. Enable CEF Logging. | ||
|
|
||
| ### Configure Syslog format | ||
|
|
||
| You can use the Citrix WAF GUI to configure syslog servers and WAF message types to be sent to the syslog servers. Refer to [How to Send Application Firewall Messages to a Separate Syslog Server](https://support.citrix.com/s/article/CTX138973-how-to-send-application-firewall-messages-to-a-separate-syslog-server) and [How to Send NetScaler Application Firewall Logs to Syslog Server and NS.log](https://support.citrix.com/s/article/CTX483235-send-logs-to-external-syslog-server?language=en_US) for details. | ||
|
|
||
| **NOTE:** Using RFC 5424 compliant syslog messages is recommended when using syslog, if supported by NetScaler. Support for RFC 5424 was added in NetScaler 14.1. Refer to [Configuring audit log action](https://docs.netscaler.com/en-us/citrix-adc/current-release/system/audit-logging/configuring-audit-logging.html#configuring-audit-log-action). | ||
|
|
||
| ## Validation | ||
|
|
||
| After the integration is successfully configured, click the Assets tab of the Citrix ADC Integration to display a list of available dashboards. The dashboard for your configured datastream should be populated with the required data. | ||
|
|
||
| ### Enable the integration in Elastic | ||
|
|
||
| 1. In Kibana navigate to **Management** > **Integrations**. | ||
| 2. In the search bar, type **Citrix ADC**. | ||
| 3. Select the **Citrix ADC** integration and add it. | ||
| 4. While adding the integration, if you want to collect logs via logfile, keep **Collect logs from Citrix ADC via file** toggle on and then configure following parameters: | ||
| - Paths | ||
|
|
||
| or if you want to collect logs via TCP, keep **Collect logs from Citrix ADC via TCP** toggle on and then configure following parameters: | ||
| - Listen Address | ||
| - Listen Port | ||
|
|
||
| or if you want to collect logs via UDP, keep **Collect logs from Citrix ADC via UDP** toggle on and and then configure following parameters: | ||
| - Listen Address | ||
| - Listen Port | ||
| 5. Save the integration. | ||
|
|
||
| ### Troubleshooting | ||
|
|
||
| #### Dummy values | ||
|
|
||
| It is possible that for some fields, Citrix ADC sets dummy values. For example, a field `cpuusagepcnt` is represented by `citrix_adc.system.cpu.utilization.pct`. `cpuusagepcnt` is set to `4294967295` for some [instances](https://github.com/citrix/citrix-adc-metrics-exporter/issues/44). If you also encounter it for some fields, reach out to the [Citrix ADC support team](https://support.citrix.com/plp/products/citrix_adc/tabs/popular-solutions). | ||
|
|
||
| #### Type conflicts | ||
|
|
||
| If `host.ip` is shown conflicted under ``logs-*`` data view, this issue can be solved by [reindexing](https://www.elastic.co/guide/en/elasticsearch/reference/current/use-a-data-stream.html#reindex-with-a-data-stream) the ``Interface``, ``LBVserver``, ``Service``, ``System``, and ``VPN`` data stream's indices. | ||
|
|
||
| ## Metrics reference | ||
|
|
||
| ### Interface | ||
|
|
||
| This is the `interface` data stream. The Citrix ADC interfaces are numbered in slot/port notation. In addition to modifying the characteristics of individual interfaces, you can configure virtual LANs to restrict traffic to specific groups of hosts. `interface` data stream collects metrics related to id, state, inbound packets, outbound packets and received packets. | ||
|
|
||
| {{event "interface"}} | ||
|
|
||
| **ECS Field Reference** | ||
|
|
||
| Please refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for detailed information on ECS fields. | ||
|
|
||
| {{fields "interface"}} | ||
|
|
||
| ### Load Balancing Virtual Server | ||
|
|
||
| This is the `lbvserver` data stream. The load balancing server is logically located between the client and the server farm, and manages traffic flow to the servers in the server farm. `lbvserver` data stream collects metrics related to name, state, client connections, requests and responses. | ||
|
|
||
| {{event "lbvserver"}} | ||
|
|
||
| **ECS Field Reference** | ||
|
|
||
| Please refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for detailed information on ECS fields. | ||
|
|
||
| {{fields "lbvserver"}} | ||
|
|
||
| ### Service | ||
|
|
||
| This is the `service` data stream. With the help of the service endpoint, metrics like throughput, client-server connections, request bytes can be collected along with other statistics for Service resources. `service` data stream collects metrics related to name, IP address, port, throughput and transactions. | ||
|
|
||
| {{event "service"}} | ||
|
|
||
| **ECS Field Reference** | ||
|
|
||
| Please refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for detailed information on ECS fields. | ||
|
|
||
| {{fields "service"}} | ||
|
|
||
| ### System | ||
|
|
||
| This is the `system` data stream. With the help of the system endpoint, metrics like memory in use, total system memory, CPU count can be collected along with other statistics for system resources. | ||
|
|
||
| {{event "system"}} | ||
|
|
||
| **ECS Field Reference** | ||
|
|
||
| Please refer to the following [document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for detailed information on ECS fields. | ||
|
|
||
| {{fields "system"}} | ||
|
|
||
| ### VPN | ||
|
|
||
| This is the `vpn` data stream. Citrix VPN is the add-on that provides full Secure Sockets Layer (SSL) virtual private network (VPN) capabilities to Citrix Gateway, allowing users to access remote applications on internal networks securely. `vpn` data stream collects metrics like CPS, ICA license, client-server requests, file system and sockets. | ||
|
|
||
| {{event "vpn"}} | ||
|
|
||
| **ECS Field Reference** | ||
|
|
||
| Check this [reference document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for more information on ECS fields. | ||
|
|
||
| {{fields "vpn"}} | ||
|
|
||
| ### Logs | ||
|
|
||
| The `citrix_adc.log` dataset provides events from the configured syslog server. | ||
|
|
||
| {{event "log"}} | ||
|
|
||
| **ECS Field Reference** | ||
|
|
||
| Check this [reference document](https://www.elastic.co/guide/en/ecs/current/ecs-field-reference.html) for more information on ECS fields. | ||
|
|
||
| {{fields "log"}} | ||
| # Citrix ADC Integration for Elastic | ||
|
|
||
| ## Overview | ||
|
|
||
| The Citrix ADC integration for Elastic collects logs and metrics from your Citrix ADC instances, providing real-time visibility into network activity, threat detection, and security operations. This integration allows you to monitor the health and performance of your Citrix ADC environment, ingest Citrix NetScaler logs for security and operational analysis, and use pre-built dashboards to visualize trends and derive insights. | ||
|
|
||
| ### Compatibility | ||
|
|
||
| This integration has been tested and is compatible with Citrix ADC versions `v13.0`, `v13.1`, and `v14.1`. | ||
|
|
||
| The minimum required Kibana version is `8.13.0`. | ||
|
|
||
| ### How it works | ||
|
|
||
| This integration uses the Elastic Agent to collect data from Citrix ADC instances. Metrics are collected by polling the Citrix NITRO APIs via HTTP/JSON, while logs are collected from syslog messages (CEF or RFC 5424 compliant) or log files. | ||
|
|
||
| ## What data does this integration collect? | ||
|
|
||
| The Citrix ADC integration collects the following types of data: | ||
|
|
||
| * **Metrics:** `interface`, `lbvserver`, `service`, `system`, and `vpn` metrics are collected via HTTP/JSON polling of the Citrix NITRO APIs. | ||
| * **Logs:** Citrix NetScaler syslog events are collected. CEF format is recommended for Web Application Firewall (WAF) events, and RFC 5424-compliant syslog is recommended for other log types (supported in NetScaler 14.1+). | ||
|
|
||
| ### Supported use cases | ||
|
|
||
| * Monitor Citrix ADC health and performance across `interface`, `lbvserver`, `service`, `system`, and `vpn` data streams. | ||
| * Ingest Citrix NetScaler logs (CEF or syslog) for security and operational visibility. | ||
| * Use provided dashboards to visualize trends, measure usage, and derive insights. | ||
| * Create alerts to reduce MTTD/MTTR and reference logs when troubleshooting. | ||
| * Understand virtual server load, client/server connections, requests, and responses across Citrix ADC. | ||
|
|
||
| ## What do I need to use this integration? | ||
|
|
||
| ### Vendor prerequisites | ||
|
|
||
| * Host(s) and administrator credentials for the Citrix ADC instance. | ||
| * Host format: `http[s]://<hostname>:<port>` (example: `http://example.com:9090`). | ||
| * Access to the NetScaler GUI to enable CEF logging and/or configure syslog servers. | ||
|
|
||
| ### Elastic prerequisites | ||
|
|
||
| * An installed and enrolled Elastic Agent. | ||
| * Kibana version `>= 8.13.0` and an available Elasticsearch cluster. | ||
| * Permissions to add the Citrix ADC integration in Kibana. | ||
|
|
||
| ## How do I deploy this integration? | ||
|
|
||
| ### Agent-based deployment | ||
|
|
||
| Elastic Agent must be installed. For more details, check the Elastic Agent [installation instructions](docs-content://reference/fleet/install-elastic-agents.md). You can install only one Elastic Agent per host. | ||
|
|
||
| Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed via the integration's ingest pipelines. | ||
|
|
||
| ### Onboard / configure | ||
|
|
||
| #### Vendor set up steps | ||
|
|
||
| ##### Configure CEF format (recommended for WAF events) | ||
|
|
||
| 1. Navigate to **Security** in the NetScaler GUI. | ||
| 2. Click **Application Firewall**. | ||
| 3. Select **Change Engine Settings**. | ||
| 4. Enable **CEF Logging**. | ||
|
|
||
| ##### Configure Syslog format (if not using CEF) | ||
|
|
||
| * Use the Citrix WAF GUI to configure syslog servers and message types to be sent. | ||
| * RFC 5424-compliant syslog is recommended when supported (NetScaler 14.1+). See [Configuring audit log action](https://docs.netscaler.com/en-us/citrix-adc/current-release/system/audit-logging/configuring-audit-logging.html#configuring-audit-log-action). | ||
| * **References:** | ||
| * [How to Send Application Firewall Messages to a Separate Syslog Server](https://support.citrix.com/s/article/CTX138973-how-to-send-application-firewall-messages-to-a-separate-syslog-server) | ||
| * [How to Send NetScaler Application Firewall Logs to Syslog Server and NS.log](https://support.citrix.com/s/article/CTX483235-send-logs-to-external-syslog-server?language=en_US) | ||
|
|
||
| #### Kibana set up steps | ||
|
|
||
| 1. In Kibana, go to **Management > Integrations**. | ||
| 2. Search for “Citrix ADC”. | ||
| 3. Select the Citrix ADC integration and add it. | ||
| 4. Choose how to collect logs and configure the parameters: | ||
| * **File:** set **Paths**. | ||
| * **TCP:** set **Listen Address** and **Listen Port**. | ||
| * **UDP:** set **Listen Address** and **Listen Port**. | ||
| 5. Save the integration. | ||
|
|
||
| ### Validation | ||
|
|
||
| After configuration, open the Citrix ADC integration’s **Assets** tab to view the available dashboards. They should populate with data for the configured datasets. You can also verify metrics and logs in **Discover** under the `logs-*` data view. | ||
|
|
||
| ## Troubleshooting | ||
|
|
||
| For help with Elastic ingest tools, check [Common problems](https://www.elastic.co/docs/troubleshoot/ingest/fleet/common-problems). | ||
|
|
||
| ### Common Configuration Issues | ||
|
|
||
| * **Dashboards not populated:** verify the chosen log collection method (file/TCP/UDP) is enabled and correctly configured. | ||
| * **Logs not parsed as expected:** prefer CEF logging and ensure RFC 5424-compliant syslog is enabled when supported (14.1+). | ||
|
|
||
| ### Ingestion Errors | ||
|
|
||
| * **Type conflicts** (for example, `host.ip` under `logs-*`): reindex the `Interface`, `LBVserver`, `Service`, `System`, and `VPN` data stream indices. | ||
|
|
||
| ## Scaling | ||
|
|
||
| For more information on architectures that can be used for scaling this integration, check the [Ingest Architectures](https://www.elastic.co/docs/manage-data/ingest/ingest-reference-architectures) documentation. | ||
|
|
||
| Prefer CEF logging for application firewall events; use RFC 5424-compliant syslog where supported (NetScaler 14.1+). Choose the appropriate log transport (file, TCP, or UDP) based on volume and reliability needs. Use multiple Agent inputs or scale syslog receivers as ingestion volume increases. | ||
|
|
||
| ## Reference | ||
|
|
||
| ### Interface | ||
|
|
||
| The `interface` data stream collects metrics related to id, state, inbound packets, outbound packets and received packets. | ||
|
|
||
| #### Interface fields | ||
|
|
||
| {{ fields "interface" }} | ||
|
|
||
| {{ event "interface" }} | ||
|
|
||
| ### Load Balancing Virtual Server | ||
|
|
||
| The `lbvserver` data stream collects metrics related to name, state, client connections, requests and responses. | ||
|
|
||
| #### Load Balancing Virtual Server fields | ||
|
|
||
| {{ fields "lbvserver" }} | ||
|
|
||
| {{ event "lbvserver" }} | ||
|
|
||
| ### Service | ||
|
|
||
| The `service` data stream collects metrics like throughput, client-server connections, request bytes can be collected along with other statistics for Service resources. | ||
|
|
||
| #### Service fields | ||
|
|
||
| {{ fields "service" }} | ||
|
|
||
| {{ event "service" }} | ||
|
|
||
| ### System | ||
|
|
||
| The `system` data stream collects metrics like memory in use, total system memory, CPU count can be collected along with other statistics for system resources. | ||
|
|
||
| #### System fields | ||
|
|
||
| {{ fields "system" }} | ||
|
|
||
| {{ event "system" }} | ||
|
|
||
| ### VPN | ||
|
|
||
| The `vpn` data stream collects metrics like CPS, ICA license, client-server requests, file system and sockets. | ||
|
|
||
| #### VPN fields | ||
|
|
||
| {{ fields "vpn" }} | ||
|
|
||
| {{ event "vpn" }} | ||
|
|
||
| ### Logs | ||
|
|
||
| The `citrix_adc.log` dataset provides events from the configured syslog server. | ||
|
|
||
| #### Logs fields | ||
|
|
||
| {{ fields "log" }} | ||
|
|
||
| {{ event "log" }} | ||
|
|
||
| ### Inputs used | ||
| {{ inputDocs }} | ||
|
|
||
| ### API usage | ||
|
|
||
| These APIs are used with this integration: | ||
|
|
||
| * [Interface](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/network/interface/) | ||
| * [LBVserver](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/lb/lbvserver/) | ||
| * [Service](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/basic/service/) | ||
| * [System](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/system/system/) | ||
| * [VPN](https://developer-docs.citrix.com/projects/netscaler-nitro-api/en/12.0/statistics/vpn/vpn/) | ||
Oops, something went wrong.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@jrmolin I feel the troubleshoot section is actually worst than the original one.
what happened to this section? Is it not valuable in documentation?
Dummy values
It is possible that for some fields, Citrix ADC sets dummy values. For example, a field cpuusagepcnt is represented by citrix_adc.system.cpu.utilization.pct. cpuusagepcnt is set to 4294967295 for some netscaler/netscaler-adc-metrics-exporter#44. If you also encounter it for some fields, reach out to the Citrix ADC support team.
Type conflicts
If host.ip is shown conflicted under logs-* data view, this issue can be solved by reindexing the Interface, LBVserver, Service, System, and VPN data stream's indices.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think if you put more content from the original readme into service_info, you'll get something that's more similar to the original