Skip to main content

Purpose

This article instructs administrators on how to forward failed login attempts from the Citrix App Layering web console to a SIEM / Syslog log collector like Splunk.

Audience

For system administrators responsible for managing the Citrix App Layering appliance, particularly those concerned with auditing logon failures, this article will provide a detailed walkthrough on leveraging the Linux shell and SSH capabilities to accomplish this task. This method is especially valuable given that AppLayering itself does not natively support direct log monitoring or alerting on such events.

Reference Configuration

Our reference configuration would be a Citrix App Layering appliance (formerly ELM) with LDAP configured for logons. This entails the following requirements.

  • Citrix App Layering appliance
  • App Layering root account
  • LDAP configured within the appliance

Limitations of App Layering Appliance

App Layering does not natively have a way to forward logs, so administrators of this appliance are left looking for other ways to make this happen. Given that the appliance is built upon CentOS 7.9, the native tools provided in the operating system can be used to facilitate this requirement. Logs generated from the appliance are stored in flat files that can be accessed through many different methods. However, for the sake of simplicity, we will cover a quick way to forward logs.

Disclaimer

As we are making changes to the underlying appliance OS, it is possible an upgrade might revert the settings we’ll make. So, as a good practice, post-appliance upgrades would be prudent to validate that the logging configuration is still functioning and the configurations are in place. It is also possible that the ability to achieve the desired outcome is added to the appliance in the future natively. At this time, the configurations outlined below should ideally be removed.

Configuration Steps

Step 1

To begin, access the App Layering console and then generate some login failure attempts using any web browser.

citrix app layering elm appliance syslog config

Step 2

Log into the appliance using the root account and confirm that the login attempts are being recorded inside the /var/log/Unidesk/web.log file. As seen in the picture below, this grep command will return all the single lines that contain the username and the IP address (removed).

# grep -i “Attempted login” /var/log/Unidesk/web.log

citrix app layering elm appliance syslog config

Step 3

The web.log file contains attempted logins, among other information related to the console. Now it is time to use rsyslog, which comes with CentOS. The directives provided can either be appended into “/etc/rsyslog.conf” or “/etc/rsyslog.d/10-weblogin.conf.” The rsyslog.d directory adds any .conf file into the main rsyslog.conf file, so the base filename can be anything. The text editor vi is my go-to. However, any text editor installed on CentOS can be used if that is the preferred way.

Here, I will be using the legacy syntax for rsyslog. This is the simplest version of what can be done with Syslog to poll through the /var/log/Unidesk/web.log file for any occurrence of “Attempted login” and send it out to the listening server using UDP (designated with @@).

citrix app layering elm appliance syslog config

Step 4

With the use of a state file, this would prevent sending out duplicate data. The state file can be seen in /var/lib/rsyslog/ for troubleshooting purposes.

citrix app layering elm appliance syslog config

$ModLoad imfile

$InputFileName /var/log/Unidesk/web.log

$InputFileTag login:

$InputFileStateFile statefile-web.log

$InputFileSeverity error

$InputFileFacility local7

$InputRunFileMonitor

:msg, contains, “Attempted login” @@<server>:514

Step 5

Once the config file looks as expected, restart the rsyslog service and verify that the logs are seen remotely. Verify that the service is running after a restart and there were not any typos in the directives strong enough to make the service fail to load.

# systemctl restart rsyslog

# systemctl status rsyslog

citrix app layering elm appliance syslog config

Step 6

When troubleshooting, tcpdump can be a quick way to verify that traffic is being sent out. The bad udp checksum can be ignored, however, verifying that the exact facility.error and message content are being sent can speed up diagnosing any blocks along the path to the log server.

citrix app layering elm appliance syslog config

Step 7

As seen below, Events are now being stored persistently in Splunk and in this case being stored in a new index (that was created outside of this article).

Conclusion

This use of rsyslog is straightforward and quite simple however, the ability to load additional modules and transform this single line into a JSON format is available if additional information is required. Rsyslog is a standard and powerful logging utility installed by default with CentOS that would otherwise not be able to fulfill any request for login failure attempts otherwise on this appliance natively.

  • Michael Wieloch
    Michael Wieloch

    Michael is a multi-disciplinary consultant with expertise in digital workspaces, networking, security, virtualization, DevOps, and Linux. When not engineering systems or building ZFS clusters, he enjoys cruising the streets on his motorcycle.

Subscribe
Notify of
guest

0 Comments
Inline Feedbacks
View all comments

Redefine Your Approach to Technology and Innovation

Schedule a call to discover how customized solutions crafted for your success can drive exceptional outcomes, with Ferroque as your strategic ally.