DRAFT: Httpaccess logging into Azure Sentinel on Citrix Netscaler

Tested on: 12.0
There is a lot clout about the Citrix vulnerability Citrixmash cve-2019-19781 (Citrix netscaler issue) and the thread is seriously going over the news daily now.

If you have Citrix Netscaler / ADC running you might want to get more visibility the traffic of your nodes.

To help you collect httpaccess log and gain insight, in this blog I will cover how you can send the httpaccess logs to your Log Analytics agent. From there youso you can monitor it from Log Analytics and Sentinel.

To deploy this solution you do not have to reboot your Netscaler. You just have to restart Apache which will happen in a split second. You can remove the changes the same way without a reboot.

Requirements:

  • Azure Log Analytics,
  • Azure Sentinel,
  • a machine that runs the Log Analytics Agent with CEF enabled (as a proxy syslog server)
  • Administrative access to your Netscaler node using SSH

To get you up to speed I have a docker image that contains the Log Analytics Agent and has CEF enabled. I run this on AKS but you can choose however you want this to run. You could also build this solution on a regular server more information about this: on the website of Microsoft

You might want to test that configuration. If you have Python running you can use my little python script to test it out.
You can find this here: in my github repo

Once you see the test messages arrive into Log Analytics it is time to send those access logs onto our proxy syslog server.
We are going to:

  1. Login onto the Netscaler.
  2. Open configuration.
  3. Add a new LogFormat, actually in CEF.
  4. Add a new CustomLog with our new LogFormat to send it instantly over UDP to our proxy syslog server.
  5. Lastly we check our config and restart apache.
  6. That’s all…

1. Login

SSH to the Netscaler and login with your administrative account.

In the console type and run the command ‘shell’

2. Open configuration

Now we are going to change the configuration of httpd which is actually Apache
In the console type and run ‘vi /etc/httpd.conf’

An editor opens and we are in command mode.

3. Add a new LogFormat

First, we are going to add a LogFormat.
Search for LogFormat by typing /LogFormat and press enter

copy the following text, make sure you include the tab before the line or insert it later.

 

Inside your console press O (capital ohw), this will insert a line and switch to insert mode

Paste inside your console, make sure this line is one line only, and tabbed like the other LogFormats

Press escape

4. Add CustomLog

Search for CustomLog by typing /CustomLog and press enter

copy the following text to somewere you can edit and replace <IP address> with the IP address of your proxy syslog server and copy it again, make sure there are 4 spaces in front. 🧐

I had to deal with all this crazyness of these spaces and tabs… just keep those lines lined up, otherwise apache isn’t going to like it.😇

Paste it into the console

press escape

type :wq!

Next we are going to copy the httpd configuration file to /nsconfig
This is the location from where the Netscaler configuration restored.
In the console type and run ‘cp /etc/httpd.conf /nsconfig’

5. Last Check!

Now it is time to restart apache, but first we make sure the configuration changes we applied won’t mess things up.

In the console type and run ‘apachectl -t’
apachectl will check if the configuration is runnable and if everything is correct it will return “Syntax OK”
So now it is time to really restart the http deamon of Apache

In the console type and run ‘apachectl graceful’

If you need to alter anything in the future edit the file in nsconfig!

 

 

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.