Tested on: 12.0
There is a lot clout about the Citrix vulnerability Citrixmash cve-2019-19781 (Citrix netscaler issue) and the thread is seriously going over the news daily now.
If you have Citrix Netscaler / ADC running you might want to get more visibility the traffic of your nodes.
To help you collect httpaccess log and gain insight, in this blog I will cover how you can send the httpaccess logs to your Log Analytics agent. From there youso you can monitor it from Log Analytics and Sentinel.
To deploy this solution you do not have to reboot your Netscaler. You just have to restart Apache which will happen in a split second. You can remove the changes the same way without a reboot.
Requirements:
- Azure Log Analytics,
- Azure Sentinel,
- a machine that runs the Log Analytics Agent with CEF enabled (as a proxy syslog server)
- Administrative access to your Netscaler node using SSH
To get you up to speed I have a docker image that contains the Log Analytics Agent and has CEF enabled. I run this on AKS but you can choose however you want this to run. You could also build this solution on a regular server more information about this: on the website of Microsoft
You might want to test that configuration. If you have Python running you can use my little python script to test it out.
You can find this here: in my github repo
Once you see the test messages arrive into Log Analytics it is time to send those access logs onto our proxy syslog server.
We are going to:
- Login onto the Netscaler.
- Open configuration.
- Add a new LogFormat, actually in CEF.
- Add a new CustomLog with our new LogFormat to send it instantly over UDP to our proxy syslog server.
- Lastly we check our config and restart apache.
- That’s all…
1. Login
SSH to the Netscaler and login with your administrative account.
In the console type and run the command ‘shell’
2. Open configuration
Now we are going to change the configuration of httpd which is actually Apache
In the console type and run ‘vi /etc/httpd.conf’
An editor opens and we are in command mode.
3. Add a new LogFormat
First, we are going to add a LogFormat.
Search for LogFormat by typing /LogFormat and press enter
copy the following text, make sure you include the tab before the line or insert it later.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
LogFormat "0|Apache|apache|1.0|%>s|%m %U%q|0|end=%{%b %d %Y %H:%M:%S}t cs2=%H shost=%h src=%a dhost=%V dpt=%p dproc=apache request=%U requestMethod=%m fname=%f cs1=%v cs4Label=Referer cs4=%{Referer}i dvchost=%v dvc=%A deviceProcessName=apache_access_log requestClientApplication=%{User-Agent}i app=HTTP" cef |
Inside your console press O (capital ohw), this will insert a line and switch to insert mode
Paste inside your console, make sure this line is one line only, and tabbed like the other LogFormats
Press escape
4. Add CustomLog
Search for CustomLog by typing /CustomLog and press enter
copy the following text to somewere you can edit and replace <IP address> with the IP address of your proxy syslog server and copy it again, make sure there are 4 spaces in front. 🧐
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CustomLog "|/usr/bin/logger -t CEF -h <IP address>" cef |
I had to deal with all this crazyness of these spaces and tabs… just keep those lines lined up, otherwise apache isn’t going to like it.😇
Paste it into the console
press escape
type :wq!
Next we are going to copy the httpd configuration file to /nsconfig
This is the location from where the Netscaler configuration restored.
In the console type and run ‘cp /etc/httpd.conf /nsconfig’
5. Last Check!
Now it is time to restart apache, but first we make sure the configuration changes we applied won’t mess things up.
In the console type and run ‘apachectl -t’
apachectl will check if the configuration is runnable and if everything is correct it will return “Syntax OK”
So now it is time to really restart the http deamon of Apache
In the console type and run ‘apachectl graceful’
If you need to alter anything in the future edit the file in nsconfig!