Splunk® Supported Add-ons

Splunk Add-on for Citrix NetScaler

Source types for the Splunk Add-on for Citrix NetScaler

The Splunk Add-on for Citrix NetScaler supplies or expects the following source types, depending on the data sources and collection methods that you configure: syslog, IPFIX, or the NITRO API.

Collection method or source Description Source type CIM and ITSI module compatibility
NITRO API To collect NetScaler status data from any of the more than 1000 endpoints of the NITRO API, configure the modular input provided in this add-on. citrix:netscaler:nitro Inventory, Load Balancer



IPFIX Since the IPFIX add-on has been deprecated, Splunk best practice is to configure Splunk Stream to collect data using the IPFIX protocol. For more information, see the Configure Citrix NetScaler to produce data via IPFIX or syslog and Configuration for Stream compatibility topics in this manual. stream:netflow None
Information about network sessions and connections, as well as syslog data for logins, logouts, device status changes, and network status changes. Manually set the source type to citrix:netscaler:ipfix for all IPFIX input data. The add-on automatically appends :syslog to data that is in this format. citrix:netscaler:ipfix Web Server, Load Balancer
citrix:netscaler:ipfix:syslog Authentication, Network Traffic,

Change, Load Balancer

UDP Events including logins, logouts, firewall activity, device status changes, and network status changes. If you configure your Citrix NetScaler device to produce data over syslog, use this source type when you set up a UDP listener on your collector node. The add-on automatically update sourcetype to citrix:netscaler:appfw for firewall data which is in native format and also automatically update sourcetype to citrix:netscaler:appfw:cef for firewall data which is in CEF format. citrix:netscaler:syslog Authentication, Network Traffic,

Change, Load Balancer

citrix:netscaler:appfw Intrusion Detection
citrix:netscaler:appfw:cef Intrusion Detection
Internal logs The add-on's internal logs are automatically source typed as citrix:netscaler. citrix:netscaler None
Last modified on 20 December, 2023
Lookups for the Splunk Add-on for Citrix NetScaler   Release notes for the Splunk Add-on for Citrix NetScaler

This documentation applies to the following versions of Splunk® Supported Add-ons: released

Acrobat logo Download manual
Acrobat logo Download this page

Was this topic useful?







You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters