Splunk® Supported Add-ons

Splunk Add-on for Citrix NetScaler

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure NITRO API inputs for the Splunk Add-on for Citrix NetScaler

The Splunk Add-on for Citrix NetScaler collects data from your Citrix NetScaler appliances from the NITRO REST API using a modular input. You can configure this input using Splunk Web on your heavy forwarder, or manually in the configuration files by following these steps:

  1. Specify your communication method.
  2. Configure a connection to your Citrix NetScaler appliances to define where the add-on should get the data.
  3. Create one or more metric templates made up of one or many NITRO API metric endpoints to define what data to collect.
  4. Configure inputs. For each input, you select one or more appliances, one or more templates, and set the polling interval and destination index for the data.

The following sections describe these steps in more detail.

Specify your communication method

By default, communication from the Splunk Add-on for Citrix Netscaler to your Netscaler servers are encrypted via HTTPS with SSL-certificate validation enabled. If your Netscaler server is configured with HTTPS and a valid CA signed certificate, then the communication to Netscaler server works with default configurations.

HTTPS using a self-signed certificate

If your Netscaler server is configured with HTTPS using a self-signed certificate, follow these steps:

  1. Download the CA certificate of the Netscaler server in PEM format.
  2. Place the CA certificate in your $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local folder.
  3. Copy $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/default/splunk_ta_citrix_netscaler_settings.conf in your $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local folder.
  4. Provide the path of the CA certificate file, including the file name, in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local/splunk_ta_citrix_netscaler_settings.conf in the additional_parameters stanza.
  5. Save your changes.
  6. Restart the Splunk platform.

Alternatively, you can follow these steps:

  1. Download the CA certificate of the Netscaler server in PEM format.
  2. Copy the content of your CA certificate in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/lib/ucc_py2/httplib2/cacerts.txt. If you are using version 8.0.x or above of the Splunk platform, use $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/lib/ucc_py3/httplib2/cacerts.txt.
  3. Save your changes.

HTTP configuration

If your Netscaler server only supports HTTP communications, follow these steps:

  1. Change the value of the http_scheme field to HTTP instead of HTTPS in your $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local/splunk_ta_citrix_netscaler_settings.conf file under the additional_parameters stanza.
  2. Save your changes.
  3. Restart the Splunk platform.

Configure modular inputs using Splunk Web

Access the Splunk Add-on for Citrix NetScaler by selecting it from the left banner on the Splunk Web home screen, or, from anywhere else in Splunk Web, by selecting Apps > Manage Apps, then selecting Launch app in the row for Splunk Add-on for Citrix NetScaler.

You can now configure inputs using the Configuration menu.

Note: Do not go to the Splunk Add-on for Citrix NetScaler configuration page under Settings > Data Inputs to configure NITRO API inputs. This page has been deprecated.

Configure appliances

  1. Under Configuration, select Appliance.
  2. Click Add New Appliance.
  3. Fill out the fields:
    Field Description
    Name A unique name for the appliance.
    Description Optional. A description for the appliance.
    Host The host or IP address of your Citrix NetScaler appliance.
    Username Only required if your Citrix NetScaler appliance requires authentication. The username to use to access the appliance.
    Password Only required if your Citrix NetScaler appliance requires authentication. The password to use to access the appliance.
  4. Click Add.
  5. Repeat steps 2 - 4 for each Citrix NetScaler appliance from which you want to collect data.

Configure templates

  1. Under Configuration, select Template.
  2. Click Add New Template and fill out the fields:
    Field Description
    Name A unique name for the template.
    Description Optional. A description for the template.
    Metrics The Citrix NetScaler metrics that you want to collect data from. You can theoretically include any number of metrics in a single template, but for best results, you should limit the number of metrics that you include in a single template to avoid overloading the Citrix NetScaler server. Metrics should be limited to no more than 15 within one template. You should also avoid creating many individual templates, each with just one or very few metrics, to avoid overloading the Citrix NetScaler server with too many concurrent sessions. If the metrics you select require additional parameters, the Parameters textbox appears. Add additional resource specifications, arguments, filters, or parameters to specify the API call you want to make. Encode any spaces using %20.

    Examples:
    <metriccategory>/<metric>/<value>
    <metriccategory>/<metric>?<param>=<value>
    <metriccategory>/<metric>?<param>=<value%20with%20spaces>
    <metriccategory>/<metric>?args=<param1>:<value>,<param2>:<value>
    For more information on the Citrix NetScaler NITRO API, refer to the NITRO API documentation.

  3. After you have added the metrics that you want to collect, click Add.
  4. You can return to this screen later to edit your existing templates, add new ones, or delete them.

Configure inputs

  1. Select Inputs.
  2. Click Create New Input and fill out the fields.
    Field Description
    Name A unique name for the input.
    Description Optional. A description for the input.
    Appliances The Citrix NetScaler appliances from which to collect data for this input.
    Templates The Citrix NetScaler templates to be used in this input. Although you can select as many templates as you want, for best results you should limit the number of templates that you invoke with a single task to avoid creating too many concurrent sessions.
    Collection Interval How long to wait before running the data collection task again, in seconds.
    Index The index in which to store Citrix NetScaler data. The default is main.
    You cannot override the source type for the input using Splunk Web. If you want to override the source type, do so in the configuration files.
  3. Click Add to create the input.
  4. Enable the input using Status toggle.
  5. Repeat these steps for any additional inputs you want to configure.

To validate that your inputs are working as expected, go to the Search & Reporting app and search for sourcetype=citrix:netscaler:nitro to confirm that Splunk Enterprise is indexing events through the add-on. See the Troubleshooting page for more guidance.

Configure a proxy

If you are using a proxy, complete these steps on the Configuration tab:

  1. Under Configuration, select Proxy
  2. Check Enable Proxy.
  3. Specify the ProxyHost, ProxyPort, ProxyUsername, and ProxyPassword values.
  4. Check DNS resolution if you want to perform DNS resolution through your proxy.
  5. Select the type of proxy to use in the Proxy Type field.
  6. Click Save.

Configure logging

If you want to change the logging level, complete these steps:

  1. Under Configuration, select Logging.
  2. Select your preferred logging level.
  3. Click Save.

Configure modular inputs manually in the configuration files

A best practice is to configure inputs using the UI to avoid typos. However, you can also configure them manually by creating a set of configuration files in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local.

Create citrix_netscaler_servers.conf

  1. Create a file called citrix_netscaler_servers.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local.
  2. Copy the following example stanza into the file and provide values for each argument:
    [FriendlyNameforYourAppliance]
    account_name = 
    account_password = 
    description = <A useful description goes here>
    server_url = <Your Citrix NetScaler IP address>

    The Splunk platform encrypts the values for account_name and account_password when you save the file.


Create citrix_netscaler_templates.conf

  1. Create a file called citrix_netscaler_templates.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local.
  2. Copy the following example stanza into the file and enter a list of correctly-formatted metrics, semicolon-separated, as the value for the content argument. citrix_netscaler_templates.conf
    [FriendlyNameforYourTemplate]
    content = config/aaaglobal_binding; config/aaagroup_aaauser_binding?action=enable

For assistance choosing metrics, use the Splunk Web configuration UI for this add-on to search and browse for the metrics and determine which ones require additional parameters. For a more information on the Citrix NetScaler NITRO API, refer to the NITRO API documentation.

For best results, limit the number of metrics that you include in a single template to avoid overloading the Citrix NetScaler server. Limit metrics to no more than 15 within one template. Also avoid creating many individual templates, each with just one or very few metrics, to avoid overloading the Citrix NetScaler server with too many concurrent sessions.

Create inputs.conf

  1. Create a file called inputs.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local.
  2. Copy the following example stanza into the file and provide values for each argument. If you have multiple servers or templates in one input, separate them with a pipe as shown in the following example:


[citrix_netscaler://FriendlyNameforYourInput]
disabled = 0
index = default
duration = 360
servers = FriendlyNameforYourAppliance | AnotherAppliance
templates = FriendlyNameforYourTemplate | AnotherTemplate 

For best results, limit the number of metrics that you include in a single template to avoid overloading the Citrix NetScaler server. Limit metrics to no more than 15 within one template. Also avoid creating many individual templates, each with just one or very few metrics, to avoid overloading the Citrix NetScaler server with too many concurrent sessions.

To validate that the input is working as expected, go to the Splunk Search & Reporting app and search for sourcetype=citrix:netscaler:nitro to confirm that the Splunk platform is indexing events through the add-on. See Troubleshooting for more guidance.

Create splunk_ta_citrix_netscaler_settings.conf

  1. Create a file called splunk_ta_citrix_netscaler_settings.conf in $SPLUNK_HOME/etc/apps/Splunk_TA_citrix-netscaler/local.
  2. For Proxy, copy the following stanza into the file and provide values for each argument. [proxy] proxy_enabled = [0|1] proxy_type = [http|socks4|socks5] proxy_url = <string> proxy_port = <integer> proxy_username = <string> proxy_password = <string> proxy_rdns = [0|1]
  3. For Logging, copy the following stanza into the file and provide value for log level. [logging] loglevel = [DEBUG|INFO|ERROR]
Last modified on 09 February, 2021
PREVIOUS
Configure Citrix NetScaler to produce data via IPFIX or syslog
  NEXT
Configure IPFIX inputs for the Splunk Add-on for Citrix NetScaler

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?

You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters