Netscaler Management and Analytics System (NMAS) is a great tool for managing your Netscaler estate and gaining insight into the traffic flows. In saying that, it doesn’t capture traffic from clients who are connecting to a DNS Load Balanced virtual server, and this is a requirement I recently came across. To capture this traffic, we need to enable syslogs with some minor tweaks. In this case I utilised the built-in syslog server on NMAS, but you could also use the one on the Netscaler itself or a third party solution.

  • Netscaler: 12.0
  • Netscaler MAS: 12.0 56.20

1. Enable syslog on the Netscaler

I did this configuration piece from NMAS, but it can be done on the Netscaler itself too. In NMAS, select your Netscaler instance and click on ‘Configure Syslog’. Tick the ‘Enable’ checkbox and select the logging levels you would like to capture. As this is a lab, I selected ‘All’ but in reality you would probably want to turn off ‘Debug’. To capture DNS query traffic, ‘Informational’ must be selected.

Once done, a syslog server and a policy will have been added to the selected Netscaler instance.

2. Configure syslog to capture DNS traffic

By default, the syslog server created above will not capture DNS traffic. To enable this, edit the syslog server on the Netscaler itself (System / Auditing / Syslog / Servers) and tick ‘DNS’.

3. Set up a DNS Profile on the virtual server

Now modify the DNS virtual server and add a DNS Profile to enable query logging. Go into your DNS virtual server, click the edit button under ‘Profiles’ and then click on the ‘Add’ button. Name your DNS profile and only tick ‘Query Logging’. Click on ‘Create’ and save the changes to the virtual server.

4. View captured traffic

Generate some DNS traffic and view the logs in the NMAS syslog viewer (Networks / Events / Syslog Messages).

That is it and even though it might not be as ‘pretty’ as TCP/Security insight data, it will provide you with the information you need.

NOTE: The syslog viewer search function on NMAS seems a bit limited, as you can only ‘Search in the current page’. I’ve queried this with Citrix and the functionality enhancement is currently open under ENH0693183, with tentative delivery expected in Q3 2018.
UPDATE: This was fixed in version 12.0 Build 57.19.