Skip to content

Configure syslog inputs for the Splunk Add-on for NetScaler

To use Splunk Connect for Syslog to collect Syslog data, see the SC4S documentation.

Note

Use SC4S instead of configuring Splunk to listen for syslog messages directly.

If you want to collect syslog data using the Splunk Add-on for NetScaler, first ensure that you have configured your Citrix NetScaler appliance to produce syslog data.

There are two ways to capture the syslog data from Citrix NetScaler:

  1. If you are using a syslog aggregator, create a file monitor input to monitor the file or files generated by the aggregator.
  2. Create a UDP input to capture the data sent on the port you have configured in your Citrix NetScaler server.

Note

For information about timestamp processing options for syslog events, see Syslog and timestamps in Splunk Add-ons.

Monitor input

If you are using a syslog aggregator, on the Splunk platform node handling data collection, set up a monitor input to watch the files generated and set the source type to citrix:netscaler:syslog. The CIM mapping and dashboard panels depend on this source type.

See Monitor files and directories in the Splunk Enterprise Getting Data In manual for information about setting up a monitor input.

UDP input

On the Splunk platform node handling data collection, configure the UDP input to match your Citrix NetScaler configuration and set the source type to citrix:netscaler:syslog. The CIM mapping and dashboard panels depend on this source type.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see Get data from TCP and UDP ports in the Getting Data In manual.

Validate data collection

After you configure the input, run this search to check that you are ingesting the data you expect:

sourcetype=citrix:netscaler:syslog