Audit Logs Test
Auditing is a methodical examination or review of a condition or situation. The Audit Logging feature enables you to log the Citrix ADC states and status information collected by various modules in the kernel and in the user-level daemons. For audit logging, you have the options to configure SYSLOG, the native NSLOG protocol, or both.
SYSLOG is a standard protocol for logging. It has two components - the SYSLOG auditing module, which runs on the ADC appliance, and the SYSLOG server, which can run on the underlying FreeBSD operating system (OS) of the ADC appliance or on a remote system. SYSLOG uses user data protocol (UDP) for the transfer of data.
When you run a SYSLOG server, it connects to the ADC appliance. The ADC appliance then starts sending all the log information to the SYSLOG server, and the server can filter the log entries before storing them in a log file. A SYSLOG server can receive log information from more than one ADC appliance and a ADC appliance can send log information to more than one SYSLOG server or NSLOG server.
Using this test, you can monitor the transfer of log information from the ADC appliance to the SYSLOG server, so that you can instantly spot bottlenecks in data transfer and identify the probable causes for the same - is it because of NAT/NSB allocation failures? is it because memory allocations of the Access Gateway context structure failed? is it due to too many port allocation failures?
Target of the test : An ADC VPX/MPX
Agent deploying the test : A remote agent
Outputs of the test : One set of results for each load balancing virtual server configured on the ADC appliance being monitored.
| Parameter | Description |
|---|---|
|
Test Period |
How often should the test be executed. |
|
Host |
The IP address of the host for which the test is being configured. |
|
NetScaler Username and NetScaler Password |
To monitor a ADC device, the eG agent should be configured with the credentials of a user with read-only privileges to the target ADC device. Specify the credentials of such a user in the NetScaler Username and NetScaler Password text boxes. |
|
SSL |
The eG agent collects performance metrics by invoking NITRO (ADC Interface Through Restful interfaces and Objects) APIs on the target ADC device. Typically, the NITRO APIs can be invoked through the HTTP or the HTTPS mode. By default, the eG agent invokes the NITRO APIs using the HTTPS mode. This is why, the SSL flag is set to Yes by default. If the target ADC device is not SSL-enabled, then the NITRO APIs can be accessed through the HTTP mode only. In this case, set the SSL flag to No. |
| Measurement | Description | Measurement Unit | Interpretation |
|---|---|---|---|
|
Logs sent to the syslog servers |
Indicates the number of Syslog messages sent to the Syslog server during the last measurement period. |
Number |
|
|
Logs not sent to the syslog servers |
Indicates the number of Syslog messages that were not sent to the Syslog server during the last measurement period. |
Number |
|
|
Log messages generated |
Indicates the number of Syslog messages that were about to be sent to the Syslog server during the last measurement period. |
Number |
If the value of this measure is a lot higher than the value of the Logs not sent to the syslog servers measure, it could indicate bottlenecks in message transmission. Further investigation is hence recommended.
|
|
NAT allocation failed |
Indicates the number of NAT allocations that failed during the last measurement period. |
Number |
|
|
NSB allocation failed |
Indicates the number of ADC Buffer (NSB) allocations that failed during the last measurement period. |
Number |
|
|
Memory allocation failed |
Indicates the failures in memory allocation of the Access Gateway context structure during the last measurement period. |
Number |
When an Access Gateway session is established, the ADC appliance creates an internal context structure, which identifies the user and the IP address from which the user has logged in. |
|
Port allocation failed |
Indicates the number of times the ADC failed to allocate a port when sending a syslog message to the syslog server during the last measurement period. |
Number |
These measures serve as effective indicators of data/packet load on a virtual server. |
|
NAT lookup failed |
Indicates the number of NAT lookups that failed during the last measurement period. |
Number |
|
|
Context not found |
Indicates the failures in finding the context structure for an Access Gateway session during attempts to send session-specific audit messages during the last measurement period. |
Number |
During an Access Gateway session, audit messages related to the session are queued up in the auditlog buffer for transmission to the audit log server(s). If the session is terminated before the messages are sent, the context structure allocated at session creation is removed. This structure is required for sending the queued auditlog messages. If it is not found, then this counter is incremented. |
|
NSB chain allocation failed |
Indicates the number of ADC Buffer (NSB) chain allocations that failed during the last measurement period. |
Number |
|
|
Client connect failed |
Indicates the number of times the connection between the ADC and the auditserver tool (the ADC's custom logging tool) failed to establish during the last measurement period. |
Number |
|
|
Multiprocessor buffer flush command count |
Indicates the number of auditlog buffer flushes during the last measurement period. |
Number |
In a multiprocessor ADC appliance, both the main processor and the co-processor can generate auditlog messages and fill up the auditlog buffers. But only the primary processor can free up the buffers by sending auditlog messages to the auditlog server(s). The number of auditlog buffers is fixed. If the co-processor detects that all the auditlog buffers are full, then it issues a flush command to the main processor. |
