Overview ↵

Release notes for the Splunk Add-on for Citrix NetScaler¶

Version 8.2.3 of the Splunk Add-on for Citrix NetScaler was released on July 22, 2023.

Compatibility¶

Note

Version 8.2.3 of the Splunk Add-on for Citrix Netscaler is not compatible with Internet Explorer.

Version 8.2.3 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms.

Splunk platform versions	9.0, 9.1.x
CIM	5.0.2
Platforms	Platform independent
Vendor Products	Citrix NetScaler versions 11.1, 12.1, 13.0, and 13.1

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Migration guide¶

See Choose your Splunk Enterprise upgrade path for the Python 3 migration for more information on upgrading your Splunk Enterprise deployment to Python 3.

New features¶

Version 8.2.3 of the Splunk Add-on for Citrix NetScaler has the following new features:

Fixed the security vulnerabilities found in the certifi, urllib3 and semver libraries by upgrading their version from 2022.12.7 to 2023.11.17, 1.26.12 to 1.26.18, and 7.3.8 to 7.5.4 respectively.
Verified IPv6 compliance checks for the add-on and enhanced TA functionality.
Verified compatibility for python 3.9.

Fixed issues¶

Version 8.2.3 of the Splunk Add-on for Citrix NetScaler contains the following fixed issues:

Known issues¶

Version 8.2.3 of the Splunk Add-on for Citrix NetScaler has the following known issues. If no issues appear below, no issues have yet been reported:

Note

SSLVPN LOGIN & LOGOUT samples are not mapped to CIM DM because of a lack of information on the meaning of this sample and its fields. If you have more information about the VPN login and logout events and can provide samples, please reach out to Splunk.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a text file for download:

Splunk Add-on for Citrix NetScaler third-party software credits

Release history for the Splunk Add-on for Citrix NetScaler¶

The latest version of the Splunk Add-on for Citrix NetScaler is version 8.2.3. See Release notes for the Splunk Add-on for Citrix NetScaler for the release notes of this latest version.

Version 8.2.2¶

Version of the Splunk Add-on for Citrix NetScaler was released on December 20, 2023.

Compatibility¶

Note

Version 8.2.2 is not compatible with Internet Explorer.

Version 8.2.2 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	8.1, 8.2, 9.0
CIM	5.0.2
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 11.1, 12.1, 13.0, 13.1

Note

Field alias functionality is compatible with the current version of this add-on. The current version does not support older field alias configurations. See Splunk Enterprise Release Notes for more info.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Migration guide¶

See Choose your Splunk Enterprise upgrade path for Python 3 migration guidance.

New features¶

Version 8.2.2 of the Splunk Add-on for Citrix NetScaler has the following new features:

Upgraded the third-party certifi library to version 2022.12.7
Fixed a security vulnerability found in the certifi library.

Fixed issues¶

Version 8.2.2 of the Splunk Add-on for Citrix NetScaler contains the following fixed issues:

Known issues¶

Version 8.2.2 of the Splunk Add-on for Citrix NetScaler has the following known issues. If no issues appear in this section, no issues have yet been reported:

Note

SSLVPN LOGIN & LOGOUT samples are not mapped to CIM DM because of a lack of information on the meaning of this sample and its fields. If you have more information about the VPN login and logout events and can provide samples, contact Splunk.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a text file for download:

Third-party software attributions for the Splunk Add-on for Citrix NetScaler

Version 8.2.1¶

Version 8.2.1 of the Splunk Add-on for Citrix NetScaler was released on February 22, 2023.

Compatibility¶

Note

Version 8.2.1 of the Splunk Add-on for Citrix Netscaler is not compatible with Internet Explorer.

Version 8.2.1 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	8.1, 8.2, 9.0
CIM	5.0.2
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 11.1, 12.1, 13.0, 13.1

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Migration guide¶

See Choose your Splunk Enterprise upgrade path for the Python 3 migration for more information on upgrading your Splunk Enterprise deployment to Python 3.

New features¶

Version 8.2.1 of the Splunk Add-on for Citrix NetScaler has the following new features:

Upgraded the third-party certifi library to version 2022.12.7
Fixed a security vulnerability found in the certifi library.

Known issues¶

Version 8.2.1 of the Splunk Add-on for Citrix NetScaler has the following known issues. If no issues appear in this section, no issues have yet been reported:

Note

SSLVPN LOGIN & LOGOUT samples are not mapped to CIM DM because of a lack of information on the meaning of this sample and its fields. If you have more information about the VPN login and logout events and can provide samples, please reach out to Splunk.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a text file for download:

Third-party software attributions for the Splunk Add-on for Citrix NetScaler

Version 8.2.0¶

Version 8.2.0 of the Splunk Add-on for Citrix NetScaler was released on October 31, 2022.

Compatibility¶

Note

Version 8.2.0 of the Splunk Add-on for Citrix Netscaler is not compatible with Internet Explorer.

Version 8.2.0 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	8.1, 8.2, 9.0
CIM	5.0.2
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 11.1, 12.1, 13.0, 13.1

Migration guide¶

See Choose your Splunk Enterprise upgrade path for the Python 3 migration for more information on upgrading your Splunk Enterprise deployment to Python 3.

New features¶

Version 8.2.0 of the Splunk Add-on for Citrix NetScaler has the following new features:

Support for Citrix ADC version 13.1 (Citrix rebranded NetScaler to ADC).
- Note that Citrix has rebranded its Citrix Netscaler product line to Citrix ADC.
CIM 5.0.2 compatibility.
Support for SC4S for syslog ingestion.
Fixed missing data ingestion due to jobs deleted from scheduler.

Known issues¶

Version 8.2.0 of the Splunk Add-on for Citrix NetScaler has the following known issues. If no issues appear in this section, no issues have yet been reported:

Note

SSLVPN LOGIN & LOGOUT samples are not mapped to CIM DM because of a lack of information on the meaning of this sample and its fields. If you have more information about the VPN login and logout events and can provide samples, please reach out to Splunk.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a text file for download:

Third-party software attributions for the Splunk Add-on for Citrix NetScaler

Version 8.1.2¶

Version 8.1.2 of the Splunk Add-on for Citrix NetScaler was released on April 27, 2022.

Compatibility¶

Note

Not compatible with Internet Explorer.

Version 8.1.2 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	8.1, 8.2
CIM	4.18.1
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 11.1, 12.1, 13.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, see Splunk Enterprise Release Notes.

Migration guide¶

See Choose your Splunk Enterprise upgrade path for the Python 3 migration for more information on upgrading your Splunk Enterprise deployment to Python 3.

New features¶

Version 8.1.2 of the Splunk Add-on for Citrix NetScaler has the following new features:

Fixed an issue with intermittent data collection.

Fixed issues¶

Version 8.1.2 of the Splunk Add-on for Citrix NetScaler contains the following fixed issues:

Known issues¶

Version 8.1.2 of the Splunk Add-on for Citrix NetScaler has the following known issues. If no issues appear in this section, no issues have yet been reported:

Note

SSLVPN LOGIN & LOGOUT samples are not mapped to CIM DM because of a lack of information on the meaning of this sample and its fields. If you have more information about the VPN login and logout events and can provide samples, please reach out to Splunk.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:

Third-party software attributions for the Splunk Add-on for Citrix NetScaler

Version 8.1.1¶

Version 8.1.1 of the Splunk Add-on for Citrix NetScaler was released on August 12, 2021.

Compatibility¶

Note

Version 8.1.1 of the Splunk Add-on for Citrix Netscaler is not compatible with Internet Explorer.

Version 8.1.1 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	8.0, 8.1, 8.2
CIM	4.18.1
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 11.1, 12.1, 13.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Migration guide¶

See Choose your Splunk Enterprise upgrade path for the Python 3 migration for more information on upgrading your Splunk Enterprise deployment to Python 3.

New features¶

Version 8.1.1 of the Splunk Add-on for Citrix NetScaler has the following new features:

Fast and intuitive UI with an improved look and feel
Removed jquery2 to fix a critical security issue
Removed Python 2 support; Splunk supports Python 3 from this release onward

Fixed issues¶

Version 8.1.1 of the Splunk Add-on for Citrix NetScaler contains the following fixed issues:

Known issues¶

Version 8.1.1 of the Splunk Add-on for Citrix NetScaler contains the following known issues:

Note

SSLVPN LOGIN & LOGOUT samples are not mapped to CIM DM because of a lack of information on the meaning of this sample and its fields. If you have more information about the VPN login and logout events and can provide samples, please reach out to Splunk.

Third-party software attributions¶

Some of the components included in this add-on are licensed under free or open source licenses. We wish to thank the contributors to those projects.

A complete listing of third-party software information for this add-on is available as a PDF file for download:

Third-party software attributions for the Splunk Add-on for Citrix NetScaler

Version 8.0.0¶

Version 8.0.0 of the Splunk Add-on for Citrix NetScaler was released on January 28, 2021.

Compatibility¶

Note

Version 8.0.0 of the Splunk Add-on for Citrix Netscaler is not compatible with Internet Explorer.

Version 8.0.0 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms.

Software, CIM, platform	Versions
Splunk platform versions	7.2, 7.3, 8.0, 8.1
CIM	4.18
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 11.1, 12.1, 13.0

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Migration guide¶

See Choose your Splunk Enterprise upgrade path for the Python 3 migration for more information on upgrading your Splunk Enterprise deployment to Python 3.

New features¶

Version 8.0.0 of the Splunk Add-on for Citrix NetScaler has the following new features:

Support of Citrix NetScaler ADC v13.0
Support for Citrix Web Application Firewall events, both standard and CEF formats.
Support of IPFIX data with Splunk App for Stream.
Common Information Model (CIM) version 4.18 compatibility.

Fixed issues¶

Version 8.0.0 of the Splunk Add-on for Citrix NetScaler contains the following fixed issues:

Known issues¶

Version 8.0.0 of the Splunk Add-on for Citrix NetScaler has the following known issues. If no issues appear in this section, no issues have yet been reported:

Note

SSLVPN LOGIN & LOGOUT samples are not mapped to CIM DM because of a lack of information on the meaning of this sample and its fields. If you have more information about the VPN login and logout events and can provide samples, please reach out to Splunk.

Third-party software attributions¶

Version 8.0.0 of the Splunk Add-on for Citrix NetScaler incorporates the following third-party software or libraries:

jQuery,
select2,
jquery-ui,
moment.js,
jqTree,
bootstrap,
underscore,
Backbone.Validation,
jquery-resize-plugin, low-pro-for-jquery, sax.js, lodash, intro.js, highcharts

Version 7.0.2¶

Version 7.0.2 of the Splunk Add-on for Citrix NetScaler was released on June 30, 2020.

Compatibility¶

Note

Version 7.0.2 of the Splunk Add-on for Citrix Netscaler is not compatible with Internet Explorer.

Version 7.0.2 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.11
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 10, 11, 12

Note

The field alias functionality is compatible with the current version of this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, refer to the Splunk Enterprise Release Notes.

Migration guide¶

Caution

Upgrading from 6.2.0 to 6.3.0 and above is not supported — you must reconfigure all inputs, appliances, and templates. Back up local configurations before upgrading. This version drops support for Splunk platform versions older than 7.0.x.

This version of the add-on drops support for Splunk platform versions older than 7.0.x. If you are running older versions of the Splunk platform, upgrade them to a minimum of 7.0.x before upgrading the add-on.

See Choose your Splunk Enterprise upgrade path for the Python 3 migration for more information on upgrading your Splunk Enterprise deployment to Python 3.

New features¶

Version 7.0.2 of the Splunk Add-on for Citrix NetScaler has the following new features:

Enhanced python library structure

Fixed issues¶

Version 7.0.2 of the Splunk Add-on for Citrix NetScaler contains the following fixed issues:

Known issues¶

Version 7.0.2 of the Splunk Add-on for Citrix NetScaler has the following known issues. If no issues appear in this section, no issues have yet been reported:

Third-party software attributions¶

Version 7.0.2 of the Splunk Add-on for Citrix NetScaler incorporates the following third-party libraries:

jQuery,
select2,
jquery-ui,
moment.js,
jqTree,
bootstrap,
underscore,
Backbone.Validation,
jquery-resize-plugin,
low-pro-for-jquery,
sax.js, lodash,
intro.js,
highcharts

Version 7.0.1¶

Version 7.0.1 of the Splunk Add-on for Citrix NetScaler was released on March 10, 2020.

Compatibility¶

Note

Version 7.0.1 of the Splunk Add-on for Citrix Netscaler is not compatible with Internet Explorer.

Version 7.0.1 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.11
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 10, 11, 12

Migration guide¶

Caution

SUpgrading from 6.2.0 to versions 6.3.0 and above of the Splunk Add-on for Citrix NetScaler is not supported. You must reconfigure all inputs, appliances and templates after upgrading. To avoid data loss, back up your local configurations before upgrading.

This version of the add-on drops support for Splunk platform versions older than 7.0.x. If you are running older versions of the Splunk platform, upgrade them to a minimum of 7.0.x before upgrading the add-on.

See Choose your Splunk Enterprise upgrade path for the Python 3 migration for more information on upgrading your Splunk Enterprise deployment to Python 3.

New features¶

Version 7.0.1 of the Splunk Add-on for Citrix NetScaler has the following new features:

Default support for Python 3

Known issues¶

Version 7.0.1 of the Splunk Add-on for Citrix NetScaler has the following known issues. If no issues appear in this section, no issues have yet been reported:

Third-party software attributions¶

Version 7.0.1 of the Splunk Add-on for Citrix NetScaler incorporates the following third-party libraries:

jQuery,
select2,
jquery-ui,
moment.js,
jqTree,
bootstrap,
underscore,
Backbone.Validation,
jquery-resize-plugin,
low-pro-for-jquery,
sax.js,
lodash,
intro.js,
highcharts

Version 7.0.0¶

Version 7.0.0 of the Splunk Add-on for Citrix NetScaler was released on October 21, 2019.

Compatibility¶

Note

Version 7.0.0 of the Splunk Add-on for Citrix Netscaler is not compatible with Internet Explorer.

Version 7.0.0 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	7.0.x, 7.1.x, 7.2.x, 7.3.x, 8.0.x
CIM	4.11
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 10, 11, 12

Migration guide¶

Caution

Upgrading from 6.2.0 to versions 6.3.0 and above of the Splunk Add-on for Citrix NetScaler is not supported. You must reconfigure all inputs, appliances and templates after upgrading. To avoid data loss, back up your local configurations before upgrading.

This version of the add-on drops support for Splunk platform versions older than 7.0.x. If you are running older versions of the Splunk platform, upgrade them to a minimum of 7.0.x before upgrading the add-on.

See Choose your Splunk Enterprise upgrade path for the Python 3 migration for more information on upgrading your Splunk Enterprise deployment to Python 3.

New features¶

Version 7.0.0 of the Splunk Add-on for Citrix NetScaler has the following new features:

Support for Python 3

Known issues¶

Version 7.0.0 of the Splunk Add-on for Citrix NetScaler has the following known issues. If no issues appear in this section, no issues have yet been reported:

Third-party software attributions¶

Version 7.0.0 of the Splunk Add-on for Citrix NetScaler incorporates the following third-party libraries:

jQuery,
select2,
jquery-ui,
moment.js,
jqTree,
bootstrap,
underscore,
Backbone.Validation,
jquery-resize-plugin,
low-pro-for-jquery,
sax.js,
lodash,
intro.js,
highcharts

Version 6.3.0¶

Version 6.3.0 of the Splunk Add-on for Citrix NetScaler was released: January 14, 2019.

Compatibility¶

Note

Version 6.3.0 of the Splunk Add-on for Citrix Netscaler is not compatible with Internet Explorer.

Version 6.3.0 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	7.2.x, 7.1.x, 7.0.x, 6.6.x
CIM	4.11
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 10, 11, 12

Migration guide¶

Caution

Upgrading from 6.2.0 to 6.3.0 of the Splunk Add-on for Citrix NetScaler is not supported. You must reconfigure all inputs, appliances and templates after upgrading. To avoid data loss, back up your local configurations before upgrading.

This version of the add-on drops support for Splunk platform versions older than 6.6.x. If you are running older versions of the Splunk platform, upgrade them to a minimum of 6.6.x before upgrading the add-on.

New features¶

Version 6.3.0 of the Splunk Add-on for Citrix NetScaler has the following new features:

Shows warnings for duplicate endpoint mappings
Proxy support
Validates credentials for newly added appliances
Supports HTTPS as default

Fixed issues¶

Version 6.3.0 of the Splunk Add-on for Citrix NetScaler contains the following fixed issues:

Known issues¶

Version 6.3.0 of the Splunk Add-on for Citrix NetScaler has the following known issues. If no issues appear in this section, no issues have yet been reported:

Third-party software attributions¶

Version 6.3.0 of the Splunk Add-on for Citrix NetScaler incorporates the following third-party libraries:

jQuery,
select2,
jquery-ui,
moment.js,
jqTree,
bootstrap,
underscore,
Backbone.Validation,
jquery-resize-plugin,
low-pro-for-jquery,
sax.js,
lodash,
intro.js,
highcharts

Version 6.2.0¶

Compatibility¶

Version 6.2.0 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	6.3.x and later
CIM	4.2 and later
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 10.x and later

Migration guide¶

This add-on is intended to replace the community-supported app, Splunk for Citrix NetScaler with AppFlow. If you are currently using Splunk for Citrix NetScaler with AppFlow, disable the app so that this add-on’s inputs do not conflict with it.

This version of the add-on drops support for Splunk platform versions older than 6.3.X. If you are running older versions of the Splunk platform, upgrade them to a minimum of 6.3.X before upgrading the add-on.

New features¶

Version 6.2.0 of the Splunk Add-on for Citrix NetScaler has the following new features:

Improved add-on configuration UI
Mapped to new fields in ITSI Load Balancer module

Fixed issues¶

Version 6.2.0 of the Splunk Add-on for Citrix NetScaler contains no fixed issues.

Known issues¶

Version 6.2.0 of the Splunk Add-on for Citrix NetScaler has the following known issues:

Third-party software attributions¶

Version 6.2.0 of the Splunk Add-on for Citrix NetScaler incorporates the following third-party libraries:

Version 6.1.0¶

Compatibility¶

Version 6.1.0 of the Splunk Add-on for Citrix NetScaler is compatible with the following software, CIM versions, and platforms:

Software, CIM, platform	Versions
Splunk platform versions	6.0 and above
CIM	4.2 and above
Platforms	Platform independent
Vendor products	Citrix NetScaler versions 10.x and above

Migration guide¶

This add-on is intended to replace the community-supported app, Splunk for Citrix NetScaler with AppFlow. If you are currently using Splunk for Citrix NetScaler with AppFlow, disable the app so that this add-on’s inputs do not conflict with it.

New features¶

Version 6.1.0 of the Splunk Add-on for Citrix NetScaler has the following new features:

Changes to collect data for ITSI load balancer module

Fixed issues¶

Version 6.1.0 of the Splunk Add-on for Citrix NetScaler fixes the following issues:

Known issues¶

Version 6.1.0 of the Splunk Add-on for Citrix NetScaler has the following known issues:

Third-party software attributions¶

Version 6.1.0 of the Splunk Add-on for Citrix NetScaler incorporates the following third-party libraries:

Version 6.0.0¶

Version 6.0.0 of the Splunk Add-on for Citrix NetScaler has the same compatibility specifications as 6.1.0.

Migration guide¶

This add-on is intended to replace the community-supported app, Splunk for Citrix NetScaler with AppFlow. If you are currently using Splunk for Citrix NetScaler with AppFlow, disable the app so that this add-on’s inputs do not conflict with it.

New features¶

Version 6.0.0 of the Splunk Add-on for Citrix NetScaler has the following new features.

New Splunk-supported add-on for Citrix NetScaler data collection and CIM mapping

Known issues¶

Version 6.0.0 of the Splunk Add-on for Citrix NetScaler has the following known issues.

Third-party software attributions¶

Version 6.0.0 of the Splunk Add-on for Citrix NetScaler incorporates the following third-party libraries:

About the Splunk Add-on for Citrix NetScaler¶


Version	8.2.3
Vendor products	Citrix NetScaler versions 11.1, 12.1, 13.0, 13.1
Add-on has a web UI	Yes

The Splunk Add-on for Citrix NetScaler allows a Splunk software administrator to collect data from Citrix NetScaler servers using syslog, IPFIX, and the NITRO API.

Release notes¶

For a summary of new features, fixed issues, and known issues, see Release Notes for the Splunk Add-on for Citrix NetScaler.

Compatibility¶

This add-on provides the inputs as well as CIM-compatible and ITSI-compatible knowledge to use with other Splunk apps, such as Splunk Enterprise Security and the Splunk App for PCI Compliance.

Download the add-on¶

Download the Splunk Add-on for Splunk Add-on for Citrix NetScaler from Splunkbase.

Install and configure the add-on¶

For information about installing and configuring the Splunk Add-on for Citrix NetScaler, see Installation and configuration overview for the Splunk Add-on for Citrix NetScaler.

Additional resources¶

See Questions related to Splunk Add-on for Citrix NetScaler on the Splunk Community page.

Hardware and software requirements for the Splunk Add-on for Citrix NetScaler¶

Prerequisite¶

To install and configure the Splunk Add-on for Citrix NetScaler, you must be a member of the admin or sc_admin role.

Data collection dependencies¶

The Splunk Add-on for Citrix NetScaler supports multiple data inputs, each capable of collecting different data from your Citrix NetScaler appliances. For more information about which kind of data you can collect with which input, see Source types for the Splunk Add-on for Citrix NetScaler.

If you want to collect data using the IPFIX protocol, see Configure Citrix NetScaler to produce data through IPFIX or syslog.

Sizing guidelines¶

The Splunk Add-on for Citrix NetScaler uses a multiple thread and multiple process design. It can collect data from up to 15 NetScaler appliances on an 8-core machine with 8 GB of memory.

Splunk platform requirements¶

Because this add-on runs on the Splunk platform, all of the system requirements apply for the Splunk software that you use to run this add-on.

For Splunk Enterprise system requirements: see System requirements for use of Splunk Enterprise on-premises in the Splunk Enterprise Installation Manual.
If you are managing on-premises forwarders to get data into Splunk Cloud, see System requirements for use of Splunk Enterprise on-premises in the Splunk Enterprise Installation Manual, which includes information about forwarders.

Note

The field alias functionality is compatible with the current version of

this add-on. The current version of this add-on does not support older field alias configurations.

For more information about the field alias configuration change, see Field alias behavior change in the Splunk Enterprise Release Notes.

Installation and configuration overview for the Splunk Add-on for Citrix NetScaler¶

Complete the following steps to install and configure this add-on:

Install the Splunk Add-on for Citrix NetScaler.
If you want to gather data through IPFIX or syslog, configure your Citrix NetScaler appliance to produce logs in those formats.
On the part of your Splunk platform architecture that is performing data collection for the add-on, configure the inputs that you want to use:

a. Configure modular inputs.

b. Configure an IPFIX input.

c. Configure a syslog input.

Ended: Overview

Installation ↵

Install the Splunk Add-on for Citrix NetScaler¶

Perform the following procedure to install the Splunk Add-on for Citrix NetScaler:

Get the Splunk Add-on for Citrix NetScaler by downloading it from Splunkbase or browsing to it using the app browser within Splunk Web.
Determine where and how to install this add-on in your deployment, using the tables on this page.
Perform any prerequisite steps before installing, if required and specified in the following tables.
Complete your installation.

If you need step-by-step instructions on how to install an add-on in your specific deployment environment, see the following installation walkthrough section for links to installation instructions specific to a single-instance deployment, distributed deployment, or Splunk Cloud.

Distributed deployments¶

Use the following tables to determine where and how to install this add-on in a distributed deployment of Splunk Enterprise or any deployment for which you are using forwarders to get your data in. Depending on your environment, your preferences, and the requirements of the add-on, you may need to install the add-on in multiple places.

Where to install this add-on¶

Unless otherwise noted, all supported add-ons can be safely installed to all tiers of a distributed Splunk platform deployment. See Where to install Splunk add-ons in Splunk Add-ons for more information.

This table provides a reference for installing this specific add-on to a distributed deployment of Splunk Enterprise.

Splunk instance type	Supported	Required	Actions required / Comments
Search Heads	Yes	Yes	Install this add-on to all search heads where Citrix NetScaler knowledge management is required. Turn add-on visibility off on your search heads to prevent data duplication errors that can result from running inputs on your search heads instead of (or in addition to) on your data collection node.
Indexers	Yes	Conditional	Not required if you use heavy forwarders to collect data. Required if you use universal forwarders to collect data.
Heavy Forwarders	Yes	See comments	Required for modular inputs. If you are not using the NITRO API modular inputs, any forwarder type is supported.
Universal Forwarders	Yes	See comments	Supported for IPFIX and UDP inputs only.

Distributed deployment feature compatibility¶

This table describes the compatibility of this add-on with Splunk distributed deployment features.

Distributed deployment feature	Supported	Actions required
Search Head Clusters	Yes	Disable add-on visibility on search heads. You can install this add-on on a search head cluster for all search-time functionality, but configure inputs on forwarders to avoid duplicate data collection. Before installing this add-on to a cluster: if the `inputs.conf` file is present in your installation package, remove the file.
Indexer Clusters	Yes	Before installing this add-on to a cluster: if the `inputs.conf` file is present in your installation package, remove the file.
Deployment Server	No	Supported for deploying unconfigured add-ons only. Using a deployment server to deploy the configured add-on to multiple forwarders acting as data collectors causes duplication of data.

Installation walkthroughs¶

The Splunk Add-Ons manual includes an Installing add-ons guide that helps you successfully install any Splunk-supported add-on to your Splunk platform.

For a walkthrough of the installation procedure, follow the link that matches your deployment scenario:

Upgrade the Splunk Add-on for Citrix NetScaler¶

Upgrade from version 8.2.2 to version 8.2.3¶

There are no additional steps required for the upgrade of the Splunk Add-on for Citrix NetScaler.

Upgrade from version 8.1.2 to version 8.2.3¶

There are no additional steps required for the upgrade of the Splunk Add-on for Citrix NetScaler.

For version 8.0.0 or lower¶

If you’re using Splunk 7.x and Citrix NetScaler v8.0.0 or lower, perform the following steps:

Disable all inputs that you have currently configured in your version of the Splunk Add-on for Citrix NetScaler.
Then follow the required steps to upgrade to your preferred Splunk 8.x version.

Upgrade the add-on using one of the following methods:

Download the add-on from Splunkbase, and follow the steps in the Install the Splunk Add-on for Citrix NetScaler topic in this manual.
In Splunk Web, navigate to the Apps bar, and click Upgrade. Enable all your desired inputs for your upgraded version of the Splunk Add-on for Citrix NetScaler.

Ended: Installation

Configuration ↵

Configure Citrix NetScaler to produce data through IPFIX or syslog¶

The Splunk Add-on for Citrix NetScaler supports multiple data input methods. If you are only collecting data through the modular input, which pulls data from your Citrix NetScaler devices using the NITRO API, you can skip this step.

If you want to collect data about traffic on your network, authentication activity, and web server data, collect data through IPFIX as well, as this data is not available through the NITRO REST API. You also have the option to collect authentication and network data through syslog, if you prefer.

Configure Citrix NetScaler to produce IPFIX data¶

See the Citrix NetScaler documentation on “Configuring the AppFlow” feature: https://docs.netscaler.com/en-us/citrix-adc/current-release/ns-ag-appflow-intro-wrapper-con/ns-ag-appflow-config-tsk.html and set your Splunk Enterprise data collection node as the collector.
If you have not already done so, install the Splunk Stream app on your data collection node.
Configure Splunk Stream to ingest IPFIX data on your Splunk Enterprise data collection node.

Configure Citrix NetScaler to produce syslog data¶

Follow the instructions to Configuring Citrix ADC appliance for audit logging to configure syslog on a Citrix NetScaler appliance. See https://docs.netscaler.com/en-us/citrix-adc/current-release/system/audit-logging/configuring-audit-logging.html/.
Configure the syslog input on your Splunk Enterprise data collection node.

Configure NITRO API inputs for the Splunk Add-on for Citrix NetScaler¶

The Splunk Add-on for Citrix NetScaler collects data from your Citrix NetScaler appliances from the NITRO REST API using a modular input. You can configure this input using Splunk Web on your heavy forwarder, or manually in the configuration files by following these steps:

Specify your communication method.
Configure a connection to your Citrix NetScaler appliances to define where the add-on should get the data.
Create one or more metric templates made up of one or many NITRO API metric endpoints to define what data to collect.
Configure inputs. For each input, you select one or more appliances, one or more templates, and set the polling interval and destination index for the data.

The following sections describe these steps in more detail.

Specify your communication method¶

By default, communication from the Splunk Add-on for Citrix Netscaler to your Netscaler servers are encrypted through HTTPS with SSL-certificate validation enabled. If your Netscaler server is configured with HTTPS and a valid CA signed certificate, then the communication to Netscaler server works with default configurations.

HTTPS using a self-signed certificate¶

If your Netscaler server is configured with HTTPS using a self-signed certificate, follow these steps:

Download the CA certificate of the Netscaler server in PEM format.
Copy the content of your CA certificate in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/lib/certifi/cacert.pem
Copy $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/default/splunk_ta_citrix_netscaler_settings.conf in your $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local folder.
Provide the path of the CA certificate file, including the file name, in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local/splunk_ta_citrix_netscaler_settings.conf in the additional_parameters stanza.
Save your changes.
Restart the Splunk platform.

Alternatively, you can follow these steps:

Download the CA certificate of the Netscaler server in PEM format.
Copy the content of your CA certificate in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/lib/certifi/cacert.pem
Save your changes.

HTTP configuration¶

If your Netscaler server only supports HTTP communications, follow these steps:

Change the value of the http_scheme field to HTTP instead of HTTPS in your $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local/splunk_ta_citrix_netscaler_settings.conf file under the additional_parameters stanza.
Save your changes.
Restart the Splunk platform.

Configure modular inputs using Splunk Web¶

Access the Splunk Add-on for Citrix NetScaler by selecting it from the left banner on the Splunk Web home screen, or, from anywhere else in Splunk Web, by selecting Apps > Manage Apps, then selecting Launch app in the row for Splunk Add-on for Citrix NetScaler.

You can now configure inputs using the Configuration menu.

Note

Do not go to the Splunk Add-on for Citrix NetScaler configuration page under Settings > Data Inputs to configure NITRO API inputs. This page is deprecated.

Configure appliances¶

Under Configuration, select Appliance.
Click Add New Appliance.

Fill out the fields:

Field	Description
Name	A unique name for the appliance.
Description	Optional. A description for the appliance.
Host	The host or IP address of your Citrix NetScaler appliance.
Username	Only required if your Citrix NetScaler appliance requires authentication. The username to use to access the appliance.
Password	Only required if your Citrix NetScaler appliance requires authentication. The password to use to access the appliance.

Select Add.
Repeat this procedure for each Citrix NetScaler appliance from which you want to collect data.

Configure templates¶

Under Configuration, select Template.

Select Add New Template and fill out the fields:

Field	Description
Name	A unique name for the template.
Description	Optional. A description for the template.
Metrics	The Citrix NetScaler metrics that you want to collect data from. Limit the number of metrics that you include in a single template to avoid overloading the Citrix NetScaler server. Metrics should be limited to no more than 15 within one template. Avoid creating many individual templates, each with just one or very few metrics, to avoid overloading the Citrix NetScaler server with too many concurrent sessions. If the metrics you select require additional parameters, the Parameters textbox appears. Add additional resource specifications, arguments, filters, or parameters to specify the API call you want to make. Encode any spaces using `%20`. Examples: `<metriccategory>/<metric>/<value>` `<metriccategory>/<metric>?<param>=<value>` `<metriccategory>/<metric>?<param>=<value%20with%20spaces>` `<metriccategory>/<metric>?args=<param1>:<value>,<param2>:<value>`

For more information on the Citrix NetScaler NITRO API, refer to the NITRO API documentation for Citrix ADC.

After you add the metrics that you want to collect, select Add.
You can return to this screen later to edit your existing templates, add new ones, or delete them.

Configure inputs¶

Select Inputs.

Select Create New Input and fill out the fields:

Field	Description
Name	A unique name for the input.
Description	Optional. A description for the input.
Appliances	The Citrix NetScaler appliances from which to collect data for this input.
Templates	The Citrix NetScaler templates to be used in this input. Although you can select as many templates as you want, for best results you should limit the number of templates that you invoke with a single task to avoid creating too many concurrent sessions.
Collection Interval	How long to wait before running the data collection task again, in seconds.
Index	The index in which to store Citrix NetScaler data. The default is `main`.

You cannot override the source type for the input using Splunk Web. If you want to override the source type, do so in the configuration files.

Click Add to create the input.
Enable the input using Status toggle.
Repeat these steps for any additional inputs you want to configure.

To validate that your inputs are working as expected, go to the Search & Reporting app and search for sourcetype=citrix:netscaler:nitro to confirm that Splunk Enterprise is indexing events through the add-on. See the Troubleshooting page for more guidance.

Configure a proxy¶

If you are using a proxy, complete these steps on the Configuration tab:

Under Configuration, select Proxy
Check Enable Proxy.
Specify the ProxyHost, ProxyPort, ProxyUsername, and ProxyPassword values.
Check DNS resolution if you want to perform DNS resolution through your proxy.
Select the type of proxy to use in the Proxy Type field.
Select Save.

Configure logging¶

If you want to change the logging level, complete these steps:

Under Configuration, select Logging.
Select your preferred logging level.
Select Save.

Configure modular inputs manually in the configuration files¶

A best practice is to configure inputs using the UI to avoid typos. However, you can also configure them manually by creating a set of configuration files in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local.

Create citrix_netscaler_servers.conf¶

Create a file called citrix_netscaler_servers.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local.

Copy the following example stanza into the file and provide values for each argument:

[FriendlyNameforYourAppliance]
account_name =
account_password =
description = <A useful description goes here>
server_url = <Your Citrix NetScaler IP address>

!!! note “Note” The Splunk platform encrypts the values for account_name and account_password when you save the file.

Create citrix_netscaler_templates.conf¶

Create a file called citrix_netscaler_templates.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local.
Copy the following example stanza into the file and enter a list of correctly-formatted metrics, semicolon-separated, as the value for the content argument. citrix_netscaler_templates.conf
```
[FriendlyNameforYourTemplate]
content = config/aaaglobal_binding; config/aaagroup_aaauser_binding?action=enable
```

For assistance choosing metrics, use the Splunk Web configuration UI for this add-on to search and browse for the metrics and determine which ones require additional parameters. For a more information on the Citrix NetScaler NITRO API, refer to the NITRO API documentation for Citrix ADC.

Note

For best results, limit the number of metrics that you include in a single template to avoid overloading the Citrix NetScaler server. Limit metrics to no more than 15 within one template. Also avoid creating many individual templates, each with just one or very few metrics, to avoid overloading the Citrix NetScaler server with too many concurrent sessions.

Create inputs.conf¶

Create a file called inputs.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local.

Copy the following example stanza into the file and provide values for each argument. If you have multiple servers or templates in one input, separate them with a pipe as shown in the following example:

[citrix_netscaler://FriendlyNameforYourInput]
disabled = 0
index = default
duration = 360
servers = FriendlyNameforYourAppliance | AnotherAppliance
templates = FriendlyNameforYourTemplate | AnotherTemplate

Note

For best results, limit the number of metrics that you include in a single template to avoid overloading the Citrix NetScaler server. Limit metrics to no more than 15 within one template. Also avoid creating many individual templates, each with just one or very few metrics, to avoid overloading the Citrix NetScaler server with too many concurrent sessions.

To validate that the input is working as expected, go to the Splunk Search & Reporting app and search for sourcetype=citrix:netscaler:nitro to confirm that the Splunk platform is indexing events through the add-on. See Troubleshooting for more guidance.

Create splunk_ta_citrix_netscaler_settings.conf¶

Create a file called splunk_ta_citrix_netscaler_settings.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local.
For Proxy, copy the following stanza into the file and provide values for each argument:

[proxy] proxy_enabled = [0|1] proxy_type = [http|socks4|socks5] proxy_url = <string> proxy_port = <integer> proxy_username = <string> proxy_password = <string> proxy_rdns = [0|1]

For Logging, copy the following stanza into the file and provide value for log level:

[logging] loglevel = [DEBUG|INFO|ERROR]

Configure IPFIX inputs for the Splunk Add-on for Citrix NetScaler¶

To create an IPFIX input for the Splunk Add-on for Citrix NetScaler, you must first configure your Citrix NetScaler appliance to produce IPFIX data and send it to your collection node.

Configuration for Stream compatibility¶

Install Splunk Add-on for Stream Wire Data, Splunk App for Stream (splunk_app_stream) and Splunk Add-on for Stream Forwarders (Splunk_TA_stream) and perform the following steps in order to get IPFIX data using the Stream app.

Copy citrix.xml from the stream_config folder of the add-on to the following folders:
- splunk_app_stream/default/vocabularies/
- Splunk_TA_stream/default/vocabularies/
Copy the content of the netflow file from the stream_config folder of the add-on and paste it inside the fields list of splunk_app_stream/default/streams/netflow.
Copy streamfwd.conf from the stream_config folder of the add-on to Splunk_TA_stream/local.

Change streamfwd.conf as follows:

[streamfwd]
ipAddr = 127.0.0.1
httpEventCollectorToken = f2060850-973b-4743-8d85-d5e89ccc28fd
processingThreads = 4
netflowReceiver.0.ip = 0.0.0.0
netflowReceiver.0.port = 4739
netflowReceiver.0.decoder = netflow

Configure syslog inputs for the Splunk Add-on for NetScaler¶

To use Splunk Connect for Syslog to collect Syslog data, see the SC4S documentation.

Note

Use SC4S instead of configuring Splunk to listen for syslog messages directly.

If you want to collect syslog data using the Splunk Add-on for NetScaler, first ensure that you have configured your Citrix NetScaler appliance to produce syslog data.

There are two ways to capture the syslog data from Citrix NetScaler:

If you are using a syslog aggregator, create a file monitor input to monitor the file or files generated by the aggregator.
Create a UDP input to capture the data sent on the port you have configured in your Citrix NetScaler server.

Note

For information about timestamp processing options for syslog events, see Syslog and timestamps in Splunk Add-ons.

Monitor input¶

If you are using a syslog aggregator, on the Splunk platform node handling data collection, set up a monitor input to watch the files generated and set the source type to citrix:netscaler:syslog. The CIM mapping and dashboard panels depend on this source type.

See Monitor files and directories in the Splunk Enterprise Getting Data In manual for information about setting up a monitor input.

UDP input¶

On the Splunk platform node handling data collection, configure the UDP input to match your Citrix NetScaler configuration and set the source type to citrix:netscaler:syslog. The CIM mapping and dashboard panels depend on this source type.

For information on how to configure a Splunk forwarder or single-instance to receive a syslog input, see Get data from TCP and UDP ports in the Getting Data In manual.

Validate data collection¶

After you configure the input, run this search to check that you are ingesting the data you expect:

sourcetype=citrix:netscaler:syslog

Ended: Configuration

Troubleshooting ↵

Troubleshoot the Splunk Add-on for Citrix NetScaler¶

For troubleshooting tips that you can apply to all add-ons, see Troubleshoot add-ons in Splunk Add-ons. For additional resources, see Support and resource links for add-ons in Splunk Add-ons.

HTTP Error: 407, Proxy Authentication Required¶

If you have an HTTP proxy configured, you are using unencrypted communication, and you get this error, go to Configuration, and then Proxy, and change the Proxy Type to http_no_tunnel.

Citrix Netscaler supported syslog format¶

The following format of Citrix Netscaler syslogs is supported:

<time-stamp> <ns-name> <packet-engine-name>:<> <event-source> <event-name> <event-id> 0 :<syslog-message>

The Splunk add-on for Citrix Netscaler does not support this format when collecting events from the Stream app, as those events have the stream:netflow sourcetype.

Configure logging level¶

The Splunk Add-on for Citrix NetScaler allows you to configure logging levels in the configuration UI or in splunk_ta_citrix_netscaler_settings.conf. Allowed log levels are DEBUG, INFO, and ERROR. The default is INFO.

Perform the following steps to configure logging using the UI:

Go to Splunk Web on your data collection node.
Access the Splunk Add-on for Citrix NetScaler UI.
From the configuration menu, select Configuration > Logging.
Choose a log level and select Save.

Ended: Troubleshooting

Reference ↵

Lookups for the Splunk Add-on for Citrix NetScaler¶

The Splunk Add-on for Citrix NetScaler has two lookups. The lookup files map fields from Citrix NetScaler systems to CIM-compliant values in the Splunk platform. The lookup files are located in \$SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/lookups.

Filename	Description
`citrix_netscaler_availability_status.csv`	Maps `state` to `avl_status_string`, `avl_status`
`citrix_netscaler_ha_states.csv`	Maps `hacurstate` to `failover_status_string`, `failover_status`
`citrix_netscaler_icmp_code.csv`	Maps `icmp_type` to `icmp_code`
`citrix_netscaler_appfw_category_severity_v8.2.0.csv`	Maps `signature` to `category`, `severity`

Source types for the Splunk Add-on for Citrix NetScaler¶

The Splunk Add-on for Citrix NetScaler supplies or expects the following source types, depending on the data sources and collection methods that you configure: syslog, IPFIX, or the NITRO API.

Collection method or source	Description	Source type	CIM and ITSI module compatibility
NITRO API	To collect NetScaler status data from any of the more than 1000 endpoints of the NITRO API, configure the modular input provided in this add-on.	`citrix:netscaler:nitro`	Inventory, Load Balancer
IPFIX	Since the IPFIX add-on has been deprecated, Splunk best practice is to configure Splunk Stream to collect data using the IPFIX protocol. For more information, see the Configure Citrix NetScaler to produce data via IPFIX or syslog and Configuration for Stream compatibility topics in this manual.	`stream:netflow`	None
	Information about network sessions and connections, as well as syslog data for logins, logouts, device status changes, and network status changes. Manually set the source type to `citrix:netscaler:ipfix` for all IPFIX input data. The add-on automatically appends `:syslog` to data that is in this format.	`citrix:netscaler:ipfix`	Web Server, Load Balancer
		`citrix:netscaler:ipfix:syslog`	Authentication, Network Traffic, Change, Load Balancer
UDP	Events including logins, logouts, firewall activity, device status changes, and network status changes. If you configure your Citrix NetScaler device to produce data over syslog, use this source type when you set up a UDP listener on your collector node. The add-on automatically update sourcetype to `citrix:netscaler:appfw` for firewall data which is in native format and also automatically update sourcetype to `citrix:netscaler:appfw:cef` for firewall data which is in CEF format.	`citrix:netscaler:syslog`	Authentication, Network Traffic, Change, Load Balancer
		`citrix:netscaler:appfw`	Intrusion Detection
		`citrix:netscaler:appfw:cef`	Intrusion Detection
Internal logs	The add-on's internal logs are automatically source typed as `citrix:netscaler`.	`citrix:netscaler`	None