question about RFEs & citrix netscaler web logging client

I’m working on getting Citrix Netscaler Web Logging Client log events into Qradar.
I’ve submitted a RFE for a DSM for this.
Citrix Netscaler and Access Gateway is supported for the Admin events and the VPN events.
The Websites that are behind the Load-balance or Reverse-proxy function are not supported by a QRadar DSM. The Citrix Netscaler Web Logging client runs on a Windows Server, where I can use Wincollect to pickup the text files that are formatted similarly to IIS Logs in text files.
For example, our Exchange OWA sites are behind the Netscaler and sending exchange iis logs to QRadar.
In these logs – the Internet Source IP are only the Netscaler Subnet IP, not the true source IP.
We want to capture the Netscaler Web Logging Client’s Log files to be able to correlate the real source ip. The default formatting of fields is similar to Exchange OWA and IIS log formats. I’m working on the Netscaler Web Logging Client config to modify the field formatting, but their doco is thin.

Two questions:
1) what is the decision process for RFE’s?
2) any one else have encountered this Citrix Netscaler Web Logging Client logs into Qradar to correlate with other web server types of logs?



Leave a Reply