How to Integrate Citrix NetScaler with Azure Sentinel?

%3CLINGO-SUB%20id%3D%22lingo-sub-1353576%22%20slang%3D%22en-US%22%3EHow%20to%20Integrate%20Citrix%20NetScaler%20with%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1353576%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20Everyone%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EHope%20you%20guys%20are%20doing%20good%20amid%20this%20pandemic.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20integrate%20Citrix%20NetScaler%20ith%20Azure%20Sentinel.%20I%20have%20found%20the%20below%20link%20to%20configure%20Citrix%20NetScaler%20to%20forward%20logs%2C%3C%2FP%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX121728%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fsupport.citrix.com%2Farticle%2FCTX121728%3C%2FA%3E%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20want%20to%20know%20what%20steps%20needs%20to%20be%20taken%20at%20Azure%20Sentinel%20end.%20I%20read%20that%20we%20need%20to%20have%20a%20Linux%20machine%20on%20Azure%20or%20on%20VM%20in%20premise%20which%20will%20collect%20logs%20from%20NetScaler%20or%20any%20other%20syslog%20and%20will%20forward%20to%20the%20Sentinel.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20help%20with%20the%20steps%20to%20be%20carried%20out%20at%20Sentinel%20end%20for%20successful%20integration.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EMitesh%20Agrawal%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1353650%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Integrate%20Citrix%20NetScaler%20with%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1353650%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539205%22%20target%3D%22_blank%22%3E%40MiteshAgrawal%3C%2FA%3E%26nbsp%3BOnce%20you%20have%20the%20Syslog%20forwarder%20setup%2C%20just%20install%20the%20Log%20Analytics%20agent%20from%20Azure%20Sentinel.%20Go%20into%20the%20Syslog%20Data%20Connector%20in%20Azure%20Sentinel%20for%20the%20instructions%20(including%20downloading%20and%20installing%20the%20Log%20Analytics%20agent%20for%20Linux)...%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3E%3CSPAN%20class%3D%22lia-inline-image-display-wrapper%20lia-image-align-inline%22%20image-alt%3D%22syslog.jpg%22%20style%3D%22width%3A%20999px%3B%22%3E%3CIMG%20src%3D%22https%3A%2F%2Fgxcuf89792.i.lithium.com%2Ft5%2Fimage%2Fserverpage%2Fimage-id%2F188286i96CAEF33AAB7FD28%2Fimage-size%2Flarge%3Fv%3D1.0%26amp%3Bpx%3D999%22%20title%3D%22syslog.jpg%22%20alt%3D%22syslog.jpg%22%20%2F%3E%3C%2FSPAN%3E%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1354584%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Integrate%20Citrix%20NetScaler%20with%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1354584%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%26nbsp%3B%2C%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThanks%20for%20the%20quick%20reply.%20Can't%20we%20get%20logs%20without%20using%20any%20Linux%20machine%20in%20betweeen%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EMitesh%20Agrawal%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1355883%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Integrate%20Citrix%20NetScaler%20with%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1355883%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539205%22%20target%3D%22_blank%22%3E%40MiteshAgrawal%3C%2FA%3E%26nbsp%3BIf%20the%20Citrix%20device%20can%20support%20other%20formats%20like%20.csv%20or%20.json%2C%20then%20you%20could%20use%20a%20Windows%20box%20as%20the%20forwarder.%20Just%20setup%20a%20custom%20log%20(%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fazure-monitor%2Fplatform%2Fdata-sources-custom-logs)%3C%2FA%3E%26nbsp%3Band%20install%20the%20Log%20Analytics%20agent%20on%20the%20Windows%20box.%3C%2FP%3E%0A%3CP%3E%26nbsp%3B%3C%2FP%3E%0A%3CP%3ENot%20suggesting%20I%20know%20that%20the%20Citrix%20device%20supports%20that%2C%20but%20you'll%20have%20to%20check%20with%20the%20vendor%20to%20see%20if%20they%20provide%20alternate%20instructions.%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1357375%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Integrate%20Citrix%20NetScaler%20with%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357375%22%20slang%3D%22en-US%22%3E%3CP%3EHi%26nbsp%3B%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F539205%22%20target%3D%22_blank%22%3E%40MiteshAgrawal%3C%2FA%3E%26nbsp%3B%3C%2FP%3E%3CP%3EThis%20is%20what%20I%20found%20in%20Citrix%20help%20documents.v%20And%20it%20is%20useful%20in%20%3CA%20href%3D%22https%3A%2F%2Fwww.apps4rent.com%2Fwindows-virtual-desktop-azure%22%20target%3D%22_blank%22%20rel%3D%22noopener%20nofollow%20noreferrer%22%3EAzure%20WVD%3C%2FA%3E%20as%20well.%3C%2FP%3E%3CP%3EAn%20Excerpt%3A%3C%2FP%3E%3CH2%20id%3D%22toc-hId--1354495208%22%20id%3D%22toc-hId--1354495208%22%20id%3D%22toc-hId--1354495208%22%20id%3D%22toc-hId--1354495208%22%20id%3D%22toc-hId--1354495208%22%20id%3D%22toc-hId--1354495208%22%3EHow%20to%20integrate%20Citrix%20Analytics%20with%20Azure%20Sentinel%3C%2FH2%3E%3CP%3EFollow%20the%20guidelines%20mentioned%20to%20integrate%20Citrix%20Analytics%20with%20Azure%20Sentinel%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3E%3CSTRONG%3EData%20export%3C%2FSTRONG%3E.%20Citrix%20Analytics%20creates%20a%20channel%20and%20exports%20risk%20intelligence.%20Azure%20Sentinel%20retrieves%20this%20risk%20intelligence%20from%20the%20channel.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3EGet%20configuration%20on%20Citrix%20Analytics%3C%2FSTRONG%3E.%20Create%20an%20account%20with%20Citrix%20Analytics%20to%20authenticate%20the%20Azure%20Sentinel%20integration.%20Citrix%20Analytics%20uses%20the%20account%20to%20prepare%20a%20configuration%20file%20required%20for%20the%20integration.%20The%20configuration%20file%20is%20used%20to%20configure%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ECitrix%20Analytics%20Adapter%20for%20Azure%20Sentinel%3C%2FSTRONG%3E.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3EDownload%20Citrix%20Analytics%20Adapter%20for%20Azure%20Sentinel%3C%2FSTRONG%3E.%20Download%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ECitrix%20Analytics%20Adapter%20for%20Azure%20Sentinel%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eapplication%20from%20GitHub.%20The%20adapter%20is%20a%20Python%20program%20that%20consumes%20alerts%20from%20a%20tenant-specific%20Kafka%20topic%20that%20is%20hosted%20by%20Citrix%20Analytics.%20You%20can%20run%20the%20adapter%20on%20any%20physical%20or%20virtual%20machine%20with%20Python%202.7%20or%20above.%20The%20consumed%20alerts%20are%20posted%20to%20Azure%20Sentinel%20using%20REST%20API.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3E%3CSTRONG%3EInstall%20Citrix%20Analytics%20Adapter%20for%20Azure%20Sentinel%3C%2FSTRONG%3E.%20Install%20the%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3E%3CSTRONG%3ECitrix%20Analytics%20Adapter%20for%20Azure%20Sentinel%3C%2FSTRONG%3E%3CSPAN%3E%26nbsp%3B%3C%2FSPAN%3Eapplication%20on%20a%20machine%20so%20that%20it%20can%20receive%20the%20Kafka%20data.%20The%20adapter%20contains%20placeholder%20variables%20for%20connecting%20to%20Azure%20Sentinel%20and%20the%20Kafka%20interface%20on%20Citrix%20Analytics.%20After%20installing%20the%20adapter%2C%20do%20the%20following%3A%3C%2FP%3E%3CUL%3E%3CLI%3E%3CP%3EReplace%20the%20placeholder%20variables%20related%20to%20the%20Kafka%20interface%20with%20the%20values%20obtained%20from%20the%20configuration%20file%20that%20Citrix%20Analytics%20has%20prepared.%3C%2FP%3E%3C%2FLI%3E%3CLI%3E%3CP%3EReplace%20the%20Azure%20Sentinel%20related%20placeholder%20variables%20(for%20Workspace%20ID%20and%20API%20Key)%20with%20the%20respective%20values%20from%20your%20Azure%20account.%3C%2FP%3E%3C%2FLI%3E%3C%2FUL%3E%3C%2FLI%3E%3C%2FUL%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EI%20hope%20this%20helps!%3C%2FP%3E%3CP%3ERegards.%3C%2FP%3E%3CP%3EAbigail%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-1357342%22%20slang%3D%22en-US%22%3ERe%3A%20How%20to%20Integrate%20Citrix%20NetScaler%20with%20Azure%20Sentinel%3F%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-1357342%22%20slang%3D%22en-US%22%3E%3CP%3E%3CA%20href%3D%22https%3A%2F%2Ftechcommunity.microsoft.com%2Ft5%2Fuser%2Fviewprofilepage%2Fuser-id%2F324945%22%20target%3D%22_blank%22%3E%40rodtrent%3C%2FA%3E%2C%20so%20if%20I%20use%20Windows%20forwarder%2C%20then%20I%20need%20to%20write%20a%20custom%20parser%20to%20parse%20the%20logs%20received%20from%20the%20forwarder%20to%20Azure%20right%3F%20Do%20we%20have%20any%20documents%20by%20following%20which%20I%20can%20write%20such%20parsers.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EAlso%2C%20I%20have%20one%20more%20doubt.%20Whether%20can%20we%20use%20the%20same%20windows%20forwarder%20for%20Citrix%20forwarder%20and%20any%20other%20syslog%20device%3F%20I%20mean%20how%20Azure%20will%20differentiate%20between%20the%20log%20sources%20if%20they%20both%20can%20use%20the%20same%3F%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3EPlease%20help.%3C%2FP%3E%3CP%3E%26nbsp%3B%3C%2FP%3E%3CP%3ERegards%2C%3C%2FP%3E%3CP%3EMitesh%20Agrawal%3C%2FP%3E%3C%2FLINGO-BODY%3E
Contributor

Hi Everyone,

 

Hope you guys are doing good amid this pandemic.

 

I want to integrate Citrix NetScaler ith Azure Sentinel. I have found the below link to configure Citrix NetScaler to forward logs,

https://support.citrix.com/article/CTX121728

 

I want to know what steps needs to be taken at Azure Sentinel end. I read that we need to have a Linux machine on Azure or on VM in premise which will collect logs from NetScaler or any other syslog and will forward to the Sentinel.

 

Please help with the steps to be carried out at Sentinel end for successful integration.

 

Regards,

Mitesh Agrawal

9 Replies

@MiteshAgrawal Once you have the Syslog forwarder setup, just install the Log Analytics agent from Azure Sentinel. Go into the Syslog Data Connector in Azure Sentinel for the instructions (including downloading and installing the Log Analytics agent for Linux)...

 

syslog.jpg

Hi @rodtrent ,

 

Thanks for the quick reply. Can't we get logs without using any Linux machine in betweeen?

 

Regards,

Mitesh Agrawal

@MiteshAgrawal If the Citrix device can support other formats like .csv or .json, then you could use a Windows box as the forwarder. Just setup a custom log (https://docs.microsoft.com/en-us/azure/azure-monitor/platform/data-sources-custom-logs) and install the Log Analytics agent on the Windows box.

 

Not suggesting I know that the Citrix device supports that, but you'll have to check with the vendor to see if they provide alternate instructions.

@rodtrent, so if I use Windows forwarder, then I need to write a custom parser to parse the logs received from the forwarder to Azure right? Do we have any documents by following which I can write such parsers.

 

Also, I have one more doubt. Whether can we use the same windows forwarder for Citrix forwarder and any other syslog device? I mean how Azure will differentiate between the log sources if they both can use the same?

 

Please help.

 

Regards,

Mitesh Agrawal

Hi @MiteshAgrawal 

This is what I found in Citrix help documents.v And it is useful in Azure WVD as well.

An Excerpt:

How to integrate Citrix Analytics with Azure Sentinel

Follow the guidelines mentioned to integrate Citrix Analytics with Azure Sentinel:

  • Data export. Citrix Analytics creates a channel and exports risk intelligence. Azure Sentinel retrieves this risk intelligence from the channel.

  • Get configuration on Citrix Analytics. Create an account with Citrix Analytics to authenticate the Azure Sentinel integration. Citrix Analytics uses the account to prepare a configuration file required for the integration. The configuration file is used to configure the Citrix Analytics Adapter for Azure Sentinel.

  • Download Citrix Analytics Adapter for Azure Sentinel. Download the Citrix Analytics Adapter for Azure Sentinel application from GitHub. The adapter is a Python program that consumes alerts from a tenant-specific Kafka topic that is hosted by Citrix Analytics. You can run the adapter on any physical or virtual machine with Python 2.7 or above. The consumed alerts are posted to Azure Sentinel using REST API.

  • Install Citrix Analytics Adapter for Azure Sentinel. Install the Citrix Analytics Adapter for Azure Sentinel application on a machine so that it can receive the Kafka data. The adapter contains placeholder variables for connecting to Azure Sentinel and the Kafka interface on Citrix Analytics. After installing the adapter, do the following:

    • Replace the placeholder variables related to the Kafka interface with the values obtained from the configuration file that Citrix Analytics has prepared.

    • Replace the Azure Sentinel related placeholder variables (for Workspace ID and API Key) with the respective values from your Azure account.

 

I hope this helps!

Regards.

Abigail

After the adapter is installed and configured, do the following:

 

Open your Azure Sentinel Workspace in the Azure portal.

 

In the Configuration section, select Data connectors.

 

Select the Citrix Analytics Data Connector and select the Open connector page. Follow the instructions to connect the events to Azure Sentinel.

 

Select the Next steps tab and select the recommended Workbook to view the sample queries.

Hi @Abigail05,

 

Hope you are doing good. Thanks for your reply.

 

 I believe Citrix Analytics and Citrix NetScaler are different right? Citrix NetScaler in our case is an on-prem solution while Citrix Analytics is a cloud service as an Analytics platform. 

 

Please help.

 

Regards,

Mitesh Agrawal

Hi @Smith_J ,

 

Is Citrix Analytics and Citrix NetScaler the same device?

 

Regards,

Mitesh Agrawal

I came here looking for answers to a similar question and thought I'd share some info about the citirx products.

Citrix Analytics is a service like Azure Sentinel.  It collects logs from different Citrix components and provides analytics for their products.

 

The netscaler is a citrix device that does a lot of things.  

 

If someone is looking to forward netscaler logs to Sentinel, they're going to come in as syslog to the linux collector.  Analytics wouldn't come into play unless they were already using Citrix Analytics.

 

Hope that helps...