Citrix Web App Firewall Integration for Elastic

The Citrix Web App Firewall integration for Elastic enables you to collect and analyze logs from Citrix ADC and NetScaler appliances. This integration provides visibility into your web application security posture by capturing detailed event data, including security violations, signature matches, and network metadata.

This integration has been tested and verified with the following third-party vendor versions:

• Citrix ADC version 13.1
• NetScaler version 10.0

The integration is designed to work with any Citrix or NetScaler appliance capable of exporting logs in the Common Event Format (CEF).

This integration collects logs from Citrix appliances by receiving syslog data over the network using TCP or UDP, or by reading logs directly from local files on the system. You'll deploy an Elastic Agent on a host configured as a syslog receiver or one that has access to the appliance's log files. The agent processes the incoming data—using the citrix_waf.log data stream—and forwards it to the Elastic Stack. For the best parsing results and data fidelity, it's recommended to configure your Citrix appliance to export logs in Common Event Format (CEF).

The Citrix Web App Firewall integration collects log messages of the following types:

• Citrix WAF logs (using Syslog): Citrix WAF logs transmitted over the network using TCP or UDP, including real-time security violations and signature match events.
• Citrix WAF logs (using File): Citrix WAF logs collected from local files on the system where the Elastic Agent is running.
• Application firewall logs: Detailed records of security violations, blocked requests, and signature matches generated by the WAF engine.
• Security event metadata: Information regarding the specific security check triggered, the action taken (such as block or log), and the severity of the event.
• Network metadata: Source and destination IP addresses, ports, and transport protocols involved in the web transactions.

The integration includes the following data stream:

• log: This data stream captures security and audit logs including violations, signature matches, and system events.

You can use the Citrix Web App Firewall integration to support various security and operational requirements:

• Threat detection and response: Identify and mitigate web-based attacks such as SQL injection, cross-site scripting (XSS), and other security violations.
• Security posture assessment: Analyze signature matches and security event metadata to evaluate the effectiveness of WAF policies and identify areas for improvement.
• Compliance and auditing: Store security logs to meet regulatory requirements and provide a verifiable trail of security-related events for audits.
• Traffic analysis: Gain insights into network metadata, including source and destination patterns, to understand application usage and identify potential anomalies.

Before you can collect logs from Citrix Web App Firewall, ensure you meet the following requirements.

You need these Citrix-specific prerequisites:

• Administrative access with full credentials for the Citrix ADC / NetScaler management GUI or CLI.
• An active license for the Citrix Web App Firewall feature installed on your appliance.
• Unrestricted network access between the Citrix appliance and the Elastic Agent on the configured Syslog port, which defaults to 9001 for this integration.
• The ability to create and bind global audit policies to the APPFW_GLOBAL bind point.
• A firmware version that supports Common Event Format (CEF) logging.

You need these Elastic prerequisites:

• Elastic Stack version 8.11.0 or later.
• An Elastic Agent installed on a host reachable by the Citrix appliance and enrolled in a Fleet policy.
• The Citrix WAF integration added to the Elastic Agent's policy using Kibana.
• Firewall rules that allow inbound traffic to the Elastic Agent on the specified Syslog port from the Citrix appliance's NSIP or SNIP.

Elastic Agent must be installed on a host that can receive syslog data or access the log files from your Citrix appliance. For more details, check the Elastic Agent installation instructions. You can install only one Elastic Agent per host.

Elastic Agent is required to stream data from the syslog or log file receiver and ship the data to Elastic, where the events will then be processed using the integration's ingest pipelines.

You must configure your Citrix NetScaler or ADC appliance to generate logs in Common Event Format (CEF) and send them to the Elastic Agent.

The integration requires logs in CEF for proper field mapping.

1. Log in to the NetScaler or Citrix ADC management interface.
2. Navigate to Security > Citrix Web App Firewall > Change Engine Settings.
3. In the General Settings section, locate the CEF Logging checkbox.
4. Check Enable CEF Logging.
5. (Optional) Check GeoLocation Logging if you wish to include geolocation data in the logs.
6. Click OK to save.

Alternatively, you can use the command line interface (CLI):

set appfw settings CEFLogging on
		

Define where the logs should be sent by specifying the Elastic Agent IP address and port.

1. Navigate to Configuration > System > Auditing > Syslog.
2. Click on the Servers tab and click Add.
3. Configure the following details:
   • Name: Elastic_Syslog_Server
   • IP Address: Enter the IP address of your Elastic Agent (replace with your actual value).
   • Port: 9001 (or your configured port).
   • Transport Type: Select UDP or TCP.
   • Log Level: Select ALL.
4. Click Create.

Alternatively, you can use the CLI:

# Replace <Elastic_Agent_IP> with your actual value
add audit syslogAction Elastic_Syslog_Server <Elastic_Agent_IP> -serverPort 9001 -logLevel ALL -transport TCP
		

1. Navigate to Configuration > System > Auditing > Syslog and go to the Policies tab.
2. Click Add, name it Elastic_WAF_Policy, and select the server created in the previous step.
3. Set the Expression to true.
4. Navigate to Configuration > System > Auditing > Syslog and select Global Bindings.
5. Select APPFW_GLOBAL and bind the Elastic_WAF_Policy with a priority of 100.

Alternatively, you can use the CLI:

add audit syslogPolicy Elastic_WAF_Policy true Elastic_Syslog_Server
bind audit syslogGlobal -policyName Elastic_WAF_Policy -priority 100 -globalBindType APPFW_GLOBAL
		

The following resources provide additional information about Citrix WAF logging:

• How to Send Application Firewall Messages to a Separate Syslog Server (CTX138973)
• How to Send NetScaler Application Firewall Logs to Syslog Server (CTX483235)
• Web App Firewall logs | NetScaler Documentation

To install and configure the Citrix Web App Firewall integration, follow these steps:

1. In Kibana, navigate to Management > Integrations.
2. Search for Citrix Web App Firewall and select it.
3. Click Add Citrix Web App Firewall.
4. Choose the input type that matches your Citrix configuration (TCP, UDP, or Log file).

To collect logs over a TCP connection, configure the following settings:

• Listen Address (tcp_host): The bind address to listen for TCP connections. Set to 0.0.0.0 to bind to all available interfaces. Default: localhost.
• Listen Port (tcp_port): The TCP port number to listen on. Default: 9001.
• Preserve original event (preserve_original_event): If checked, a raw copy of the original event is stored in the event.original field. Default: False.
• Tags (tags): Custom tags to append to the event. Default: ['citrix_waf', 'forwarded'].
• Processors (processors): Add custom processors to reduce fields or enhance metadata before the data is sent to Elastic. See Processors for details.
• SSL Configuration (ssl): Configure SSL options if you are using encrypted transport. Refer to the SSL documentation for details.
• Custom TCP Options (tcp_options): Specify advanced settings such as max_message_size or line_delimiter.
• Timezone (tz_offset): The IANA time zone or offset (for example, +0200) to use when interpreting syslog timestamps without a time zone. Default: UTC.

To collect logs over a UDP connection, configure the following settings:

• Listen Address (udp_host): The bind address to listen for UDP connections. Set to 0.0.0.0 to bind to all available interfaces. Default: localhost.
• Listen Port (udp_port): The UDP port number to listen on. Default: 9001.
• Preserve original event (preserve_original_event): If checked, a raw copy of the original event is stored in the event.original field. Default: False.
• Tags (tags): Custom tags to append to the event. Default: ['citrix_waf', 'forwarded'].
• Processors (processors): Add custom processors to filter or enhance the log data. See Processors for details.
• Custom UDP Options (udp_options): Specify advanced settings such as max_message_size or read_buffer.
• Timezone (tz_offset): The IANA time zone or offset (for example, +0200) for logs without time zone information. Default: UTC.

To collect logs directly from files on the host where Elastic Agent is running, configure the following settings:

• Paths (paths): A list of absolute paths to the log files. Default: ['/var/log/citrix-waf.log'].
• Preserve original event (preserve_original_event): If checked, a raw copy of the original event is stored in the event.original field. Default: False.
• Tags (tags): Custom tags to append to the event. Default: ['citrix_waf', 'forwarded'].
• Processors (processors): Add custom processors for pre-processing logs on the agent. See Processors for details.
• Timezone (tz_offset): The IANA time zone or offset (for example, +0200) for logs without time zone information. Default: UTC.

After completing the configuration, assign the integration to an agent policy and click Save and continue.

To verify the integration is working correctly, follow these steps:

1. Verify the Elastic Agent status:
   • Navigate to Management > Fleet > Agents.
   • Ensure the agent is in a Healthy or Online state.
2. Trigger data flow on the Citrix WAF:
   • Generate web traffic by accessing a web application protected by the Citrix WAF.
   • Simulate a policy violation (for example, curl http://<waf_app_ip>/etc/passwd) to trigger a block or log event.
   • Log in or out of the Citrix management interface to generate administrative audit logs.
3. Check data in Kibana:
   • Navigate to Analytics > Discover.
   • Select the logs-* data view.
   • Enter the KQL filter data_stream.dataset : "citrix_waf.log" and confirm that logs appear with recent timestamps.
   • Verify that fields such as event.dataset, source.ip, event.action, and message are populated correctly.
4. Check Dashboards:
   • Navigate to Analytics > Dashboards.
   • Search for Citrix Web App Firewall to verify the pre-built visualizations are populating with data.

For help with Elastic ingest tools, check Common problems.

Address common configuration issues using the following guidance:

• CEF logging disabled: If logs appear in Kibana as a single unparsed string in the message field, verify that CEF logging is enabled in the Citrix WAF engine settings. Without the CEF format, the parser can't identify specific security fields.
• Global binding missing: If no logs are arriving at the Elastic Agent, verify the audit policy is bound to the APPFW_GLOBAL bind point. Binding to SYSTEM_GLOBAL might result in WAF logs being mixed with general system logs or suppressed depending on priority settings.
• Port conflicts: Ensure that the Listen Port configured in the integration settings (for example, 9001) isn't being used by another service on the Elastic Agent host. You can use commands like netstat -ano or ss -tulpn to verify if the agent is listening on the expected port.
• Firewall or network ACL blocks: Verify that any network firewalls between the Citrix appliance and the Elastic Agent permit traffic on the configured UDP or TCP port.
• Timestamp mismatches: If logs appear to be missing or have incorrect times, check for a significant time difference between the Citrix appliance and the Elastic Agent. Use the Timezone setting in the integration configuration to correct for offset differences.
• Parsing failures: Check the error.message field in Kibana for messages like "Provided grok patterns did not match". This usually indicates that the Citrix log format isn't standard CEF. Ensure no custom syslog headers are prepended to the CEF payload on the Citrix side.
• Truncated logs: If logs are incomplete or missing data, check the max_message_size setting in the TCP or UDP options. Large WAF events with many headers can exceed the default 10KiB limit.

For more information on architectures that can be used for scaling this integration, check the Ingest Architectures documentation.

To ensure optimal performance in high-volume security environments, you should consider the following configuration and deployment strategies:

• Use TCP for transport to ensure reliable delivery and support for encrypted transport using SSL/TLS. While UDP has lower overhead, it doesn't guarantee delivery in high-volume scenarios.
• Monitor your host's disk I/O performance if you're using the logfile input. You'll need to handle sustained write and read loads, and you should implement log rotation to prevent disk exhaustion.
• Check that the max_message_size setting is sufficient for your largest Common Event Format (CEF) payloads. The default is 10KiB, and logs that exceed this size will be truncated.
• Isolate Citrix Web App Firewall specific logs from general system logs by using the -globalBindType APPFW_GLOBAL command on your Citrix appliance. This reduces the processing overhead on the Elastic Agent.
• Filter your logs at the source by configuring specific log levels. Focusing your collection on NOTICE or higher severity events helps you avoid processing low-value debugging information.
• Scale your deployment by using multiple Elastic Agents behind a network load balancer. It's best to place these agents in close network proximity to your Citrix appliances to minimize latency.
• Allocate sufficient CPU resources to your Elastic Agent hosts. High-velocity CEF data parsing and the use of complex processors can be CPU-intensive.

The following inputs are supported by this integration: These inputs can be used with this integration:

ssl.enabled: true
ssl.certificate: "/path/to/server.crt"
ssl.key: "/path/to/server.key"
ssl.certificate_authorities: ["/path/to/ca.crt"]
ssl.client_authentication: "optional"
		

This integration includes the following data stream:

The log data stream provides events from Citrix Web App Firewall of the following types: security violation logs, policy match logs, and system audit logs. It supports logs in both standard syslog format and Common Event Format (CEF).

The following fields are exported by this data stream: Exported fields

{
    "@timestamp": "2012-12-18T21:46:17.000Z",
    "agent": {
        "ephemeral_id": "9153862d-f83f-4bd1-bbc9-c3ff3d96e726",
        "id": "e30119bc-b47d-4e56-86e3-4a9683305c6e",
        "name": "docker-fleet-agent",
        "type": "filebeat",
        "version": "8.2.3"
    },
    "citrix": {
        "cef_format": true,
        "cef_version": "0",
        "detail": "CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked",
        "device_event_class_id": "APPFW",
        "device_product": "NetScaler",
        "device_vendor": "Citrix",
        "device_version": "NS10.0",
        "facility": "local0",
        "name": "APPFW_STARTURL",
        "ppe_id": "PPE0",
        "priority": "info",
        "profile_name": "profile1",
        "session_id": "IliG4Dxp1SjOhKVRDVBXmqvAaIcA000",
        "severity": "ALERT"
    },
    "client": {
        "geo": {
            "city_name": "London",
            "continent_name": "Europe",
            "country_iso_code": "GB",
            "country_name": "United Kingdom",
            "location": {
                "lat": 51.5142,
                "lon": -0.0931
            },
            "region_iso_code": "GB-ENG",
            "region_name": "England"
        },
        "ip": "81.2.69.144"
    },
    "data_stream": {
        "dataset": "citrix_waf.log",
        "namespace": "ep",
        "type": "logs"
    },
    "ecs": {
        "version": "8.17.0"
    },
    "elastic_agent": {
        "id": "e30119bc-b47d-4e56-86e3-4a9683305c6e",
        "snapshot": false,
        "version": "8.2.3"
    },
    "event": {
        "action": "not blocked",
        "agent_id_status": "verified",
        "dataset": "citrix_waf.log",
        "id": "465",
        "ingested": "2022-07-12T00:06:17Z",
        "original": "Dec 18 21:46:17 <local0.info> 81.2.69.144 CEF:0|Citrix|NetScaler|NS10.0|APPFW|APPFW_STARTURL|6|src=175.16.199.1 spt=54711 method=GET request=http://vpx247.example.net/FFC/login_post.html?abc\\=def msg=Disallow Illegal URL. cn1=465 cn2=535 cs1=profile1 cs2=PPE0 cs3=IliG4Dxp1SjOhKVRDVBXmqvAaIcA000 cs4=ALERT cs5=2012 act=not blocked",
        "severity": 6,
        "timezone": "+00:00"
    },
    "http": {
        "request": {
            "id": "535",
            "method": "GET"
        }
    },
    "input": {
        "type": "tcp"
    },
    "log": {
        "source": {
            "address": "172.22.0.4:41588"
        }
    },
    "message": "Disallow Illegal URL.",
    "source": {
        "geo": {
            "city_name": "Changchun",
            "continent_name": "Asia",
            "country_iso_code": "CN",
            "country_name": "China",
            "location": {
                "lat": 43.88,
                "lon": 125.3228
            },
            "region_iso_code": "CN-22",
            "region_name": "Jilin Sheng"
        },
        "ip": "175.16.199.1",
        "port": 54711
    },
    "tags": [
        "preserve_original_event",
        "citrix_waf",
        "forwarded"
    ],
    "url": {
        "domain": "vpx247.example.net",
        "extension": "html",
        "original": "http://vpx247.example.net/FFC/login_post.html?abc\\=def",
        "path": "/FFC/login_post.html",
        "query": "abc\\=def",
        "scheme": "http"
    }
}
		

For more information about Citrix Web App Firewall logs and configuration, refer to the following vendor resources:

• Web App Firewall logs - NetScaler Documentation
• NetScaler AppFirewall: Configuration, CEF logging, Signatures
• Send logs to external syslog server
• Citrix ADC Auditing Policies

This integration includes one or more Kibana dashboards that visualizes the data collected by the integration. The screenshots below illustrate how the ingested data is displayed.

×