Skip to main content

Introduction

Often as Citrix Engineers and Administrators, we troubleshoot issues, and that involves inspecting log files. Recently, I had a request from one of our customers to provide them with log file locations of all the Citrix products they use, and surprisingly I found that there was no centralized repository for log file locations. With that being said, I have written this article, which attempts to cover log file locations of each Citrix product. It serves as a single point of reference for log file locations for various Citrix products and stands to be a living reference and will require updates over time. We will do our best to maintain this article on an ongoing basis and community feedback is always welcome.

Citrix Virtualization

Citrix Licensing

The following table contains important log file locations for Citrix licensing Server:

Log File Purpose Location
Access.log HTTP access events C:\Program Files\Citrix\Licensing\LS\LogsOn or C:\ProgramFiles(x86)\Citrix\Licensing\LSLogsOn
Citrix.log Licenses and license activities
Lmadmin.log License server, console, and administration activities
web.log Web server information

Citrix Delivery Controller (CVAD aka On-Prem Only)

The following table contains important log file locations for Citrix Desktop Delivery Controller:

Log File Purpose Location
XenDesktop Installation Contains Installation log for Citrix Xenapp/XenDesktop component C:\Users\<Install User>\AppData\Local\Temp\Citrix\XenDesktop Installer\
Setupapi.log  Setup log files %SystemRoot%\INF
Setuppaidev.log Setup log files with verbose logging
Citrix Broker Service.log Broker Service logs Set Custom path to log file within CDFControl
Xdlogs.etl Persistent CDF trace file Set Custom path to log file within CDFControl

 

For more information on Windows event log messages for Citrix Virtual Apps & Desktops, please refer to this article.

Citrix Cloud Connector (CVADS aka Citrix Cloud Only)

The following table contains log file location for Citrix Cloud Connector:

Log File Purpose Location
Windows Event logs To debug Proxy related connectivity for the Citrix Cloud Connector, registry settings need to be tweaked to enable logging of Proxy related messages in Windows Application logs. In Event Viewer >> Windows Application logs

Citrix Workspace Environment Manager

The following table contains important log file locations for Citrix Workspace Environment Manager (WEM) Agent & Infrastructure components:

Log File Purpose Location
Citrix WEM Agent Init.log WEM agent session logs  

 

%userprofile%

Citrix WEM Agent.log WEM agent session logs  

 

Citrix WEM Agent Host Service Debug.log WEM agent debug log %PROGRAMFILES(x86)%\Norskale\Norskale Agent Host
Norskale Agent Service WEM agent viewer logs Inside Event Viewer >> Application and Services logs
vuemUIAgent-Traces.svclog WCF trace for vuemUIAgent.exe C:\Trace
NorskaleAgentHostService-Traces.svclog WCF Traces for Norskale Agent Host Service C:\Trace
Norskale Broker Service WEM Infrastructure Broker Event logs Event Viewer >> Application and Services Logs
NorksaleInfrastructureBrokerService-Traces.svclog Norskale Broker Service log C:\Trace
Citrix WEM Console Trace.log WEM Console Debug log %userprofile%
WEMConsole-Traces.svclog WCF Trace of Norskale Broker Service C:\Trace
Citrix WEM Database Management Utility Debug Log.log WEM Database logs %PROGRAMFILES(x86)%\Norskale\Norskale Infrastructure Services

 

Citrix StoreFront

The following table contains important log file locations for Citrix StoreFront:

Log File Purpose Location
AGServices.svclog  StoreFront Service Logs C:\Program Files\Citrix\Receiver StoreFront\admin\Trace
ConfigurationRelication.svclog
DomainServices.svclog
PeerNameResolutionService.svclog
Roaming.svclog
ServiceMonitor.svclog
Store.svclog
Store2Auth.svclog
Store2Web.svclog
Store2000.svclog
StoreAuth.svclog
StoreWeb.svclog
SubscriptionStore.svclog
Ica.log Log file for launch.ica file Set custom path to log file
CitrixMsi.log Installation log file C:\Program Files\Citrix\Receiver StoreFront\logs
StoreFront Events Event logs for StoreFront Services In Event ViewerApplications and Services Logs > Citrix Delivery Services                      Or Windows Logs > Application

 

Note: In addition to verbose tracing on the StoreFront, Fiddler trace can be particularly useful when troubleshooting network issues between StoreFront services and Receiver for Web. For this, Fiddler trace should be enabled in StoreFront (Advanced settings), loopback must also be disabled. The confidentiality and integrity of outbound SSL connections which are proxied through fiddler maybe compromised during traffic capture. More information on how to perform the trace can be found here.

Citrix Workspace App

The following table contains important log file locations for Citrix Workspace App (Previously known as Citrix Receiver):

Log File Purpose Location
Receiver_.log Receiver logging – General %localappdata%\Citrix\Receiver
AuthManagerSDK-<Date>.log Receiver logging- Authentication Manager %localappdata%\Citrix\AuthManager
SelfService.log Receiver Logging – SelfService %localappdata%\Citrix\SelfService
trace-pnsson.log Single Sign On logs C:\Program Files(x86)\Citrix\Online Plugin\Logs(custom path can be set)
Receiver_Browser.log Receiver Logging – Browser %localappdata%\Citrix\Browser

Citrix Profile Management

The following table contains important log file locations for Citrix Profile Management (CPM):

Log File Purpose Location
Windows event log Windows event logs, used primarily for error reporting %SystemRoot%\system32\LogFiles
#_pm.log Profile management log file %SystemRoot%\system32\LogFiles\UserProfileManager
#_pm_config.log Profile management configuration log file %SystemRoot%\system32\LogFiles\UserProfileManager

 

Note: %SystemRoot%\System32\Logfiles\UserProfileManager is the default location for the path to save the log file, this can be changed to a UNC path. Citrix Virtual Desktops Machine Creation Services uses a local persistent folder which is mapped to the C drive (C:\Program Files\Citrix\PVS\Service\PersistedData).For non-persistent instances (PVS, MCS), Citrix recommends using a centralized file share to store log file(NTFS and SMB share permissions should be set for domain computers for read/write) or redirecting log files to a persistent drive attached to the VM so logs can be retained between reboots (this is commonly recommended for VDA event logs as well). Citrix UPM Log Parser can be leveraged to analyze the log files generated by Citrix Profile Management. Its installation and usage can be found here.

Citrix Virtual Delivery Agent

The following table contains important log file locations for Citrix Virtual Delivery Agent (VDA):

Log File Purpose Location
vda_log.log
(Windows VDA)
Contains Citrix VDA Registration and Services Information

Note: Logging needs to be manually enabled

Locate WorsktationAgent.exe.config (%ProgramFiles%\Citrix\Virtual Desktop Agent\)Under the <appSettings> section replace the value for LogtoCDF to 1

Set LogFileName to a custom path to store the log file

vda.log
(Linux VDA)
Trace level logs for Linux VDA

This is configured via /etc/xdl/brokeragent.conf

/var/log/xdl/vda.log
Windows Event Logs While troubleshooting VDA registration issues and VDA logon issues, windows event logs are helpful in determining root cause. In Event Viewer >> Windows Application logs

Select custom views

Create a custom view, select all event levels and specify the following event sources:

Citrix Desktop Service
Citrix HDX Audio
Citrix HDX MediaStream
Citrix ICA Service

 

Citrix Provisioning Services

The following table contains log file locations for Citrix Provisioning Services (PVS):

Log File Purpose Location
Target Side Logs  PVS Target logs C:\Program Data\Citrix\Provisioning Services\Log
CDF monitor trace files  CDF monitor trace files captured on PVS Server C:\Windows\cdfmonitor
Always on Tracing logs Always on tracing for SQL Server on PVS C:\ProgramData\Citrix\Provisioning Services\Log\AOT
Audit logs PVS provides administrators a way to troubleshoot and monitor recent changes impacting system performance and behavior. To enable auditing within PVS, follow steps listed here. In Citrix Provisioning Services console, right-click on a managed object, then select Audit Trail option. FilterResults option allows us to filter audit information based on parameters like user, date/time, action, type, domain, etc.

Citrix Director

The following table contains log locations for Citrix Director:

Log File Purpose Location
Log collection from IIS Logs are collected by changing the value field in Application setting within IIS

The values for the following settings are changed:

Log.Filename
Log.LogtoCdf
Log.LogtoConsole
Log.LogtoDebug
Log.LogtoFile
Log.IncludeLocation

Set path and filename of log file within Log.FileName application setting in IIS
CDF Trace files CDF Trace files collected for Director Service Select Custom Path within CDFControl (Tools >>Options)

 

Citrix App Layering

The following table contains log locations for Citrix App Layering:

Log File Purpose Location
Citrix Enterprise Layering Manager Logs Citrix ELM Log files contain useful information to resolve application layering issues. In Citrix Layering Management Console, select System>Manage Appliance

Click Export logsIn the Export log wizard, check the checkbox to include enterprise manager logs and complete the export process

Go to the tasks panel and click on the information button to download the .tgz file which contains the ELM logs

Ulayersvc.log Unidesk Service Layering log

Note: By default, ulayersvc.log only logs events INFO or higher. For detailed logging, edit ulayer.exe.config file

C:\ProgramData\Unidesk\Logs\ulayersvc.log
Layerinfo.log Unidesk LayerInfo log Select Custom Path within CDFControl (Tools >>Options)

 

Citrix Federated Authentication Services

The following table contains log locations for Citrix Federated Authentication Services (FAS):

Log File Purpose Location
Windows Event logs (FAS Server) Windows Application logs are particularly helpful while troubleshooting issues relating to User logons on the FAS Server. In Event Viewer >> Windows Application logs

Select custom views

Create a custom view, select all event levels and specify the following event source:

Citrix.Authentication.FederatedAuthenticationService

CAPI Logs (Domain Controllers & Client Machine) CAPI logs are useful while troubleshooting Authentication errors in a FAS deployment Enable logging for Microsoft/Windows/CAPI2/Operational Logs

CAPI logging can be controlled using registry key: CurrentControlSet\Services\crypt32

DiagLevel(value name) & 0 to 5 (DWORD)

DiagMatchAnyMask(value name) & 0xfffffff(QUADWORD)

DiagProcessName(value name) & process name (Multi_SZ)

View logs in Event viewer >> Security logs

 

Kerberos Logs

(Domain Controllers & Client Machine)

Kerberos logs are useful while troubleshooting Authentication errors in a FAS deployment  

Enable logging on Domain Controller and end user machine by creating the following registry values:

CurrentControlSet\Control\Lsa\Kerberos\Parameters

Log Level (value name) & 0x1(DWORD)

KerbDebuglevel (value name) & 0xfffffff (DWORD)

CurrentControlSet\Control\Lsa\Kerberos\Parameters

KdcDebugLevel(value name) & 0x1(DWORD)

KdcExtraLogLevel(value name) & 0x1f(DWORD)

 

View logs in Event viewer >> Security logs

 

Windows Event log Messages (Domain Controller & Client Machine) Log entries on the Domain controller and user workstation when users logon with a certificate issued by FAS. The following log messages can be useful:

·       Domain Controller CAPI2 log

·       Domain Controller Security logs

·       VDA security log

·       VDA CAPI log

·       VDA system log

View logs in Event viewer >> Security logs

 

 

Citrix Hypervisor (XenServer)

The following table contains log locations for Citrix Hypervisor:

Log File   Purpose  Location
XenCenter.log XenCenter client logs %appdata%\Citrix\XenCenter
XenCenter Audit Trail.log Additional user-specific logs %appdata%\Citrix\XenCenter
Kern.log, dmesg XS kernel, disk, NIC messages /var/log
Xensource.log XS command (XAPI) debug logs /var/log
Daemon.log Openswitch daemon logs /var/log
Fvt.log Sanity tests of hardware across reboots /var/log/fvt

Citrix Networking

Citrix ADC (NetScaler)

The following table contains the important log file and dump file locations for Citrix ADC:

Log File   Purpose  Location
newnslog

(Read via nsconmsgs command)

Main log file in netscaler data format /var/nslog
newnslog.xx.gz Newnslog file (archived) /var/nslog
nstrace.x Trace file collected after running nstrace.sh /var/nstrace
vmcore.x.gz Dump file obtained during crash /var/crash
kernel.x Kernel dump file obtained during crash /var/crash
savecore.log Log file for core dump /tmp
ns.log Syslog file for ADC System /var/log
messages Logged entries /var/log
auth.log Logs for Authentication/Authorization /var/log
dmesg.* Logs containing Hardware/Boot sequence errors /var/nslog
Iprep.log IP reputation logs /var/log
EPA logs

Scan done by EPA Plugin

nsepa.txt (older scans)/epahelper_epa_plugin.txt (newer scans/OPSWAT)

Scan done by native plugin

nssslvpn.txt (older scans)/epahelper.txt (newer scans and OPSWAT)

 

Logs for Endpoint Analysis

 

Note: Logging needs to be enabled on the ADC for logs to be seen on the client machine, this should be enabled only temporarily for troubleshooting purposes. The process of enabling EPA logs on client machines is described here.

For Windows Vista, 7, 8, and 10:

C:\Users\<username>\AppData\Local\Citrix\AGEE

 

For Mac OS X systems:

~/Library/Application Support/Citrix/EPAPlugin

 

Citrix ADC (NetScaler) – SDX

The following table contains log locations for Citrix ADC SDX – SVM and Citrix Hypervisor (previously XenServer):

Log File (SVM)   Purpose  Location
mps_config.log All SVM configuration logs /var/mps/log
mps_inventory.log SVM’s inventory system that polls for the state of VMs on SDX /var/mps/log
mps_service.log UI to SVM backend activity log /var/mps/log
mps_event.log SVM generated info /var/mps/log
mps_stat.log SVM statistics collection messages /var/mps/log
System_health/* SDX health info that is reflected on SDX dashboard /var/mps
Upgradebundle.log Single bundle upgrade process status log /var/mps/log
Log File (XenServer)   Purpose  Location
Kern.log, dmesg XS kernel, disk, NIC messages /var/log
Xensource.log XS command (XAPI) debug logs /var/log
Daemon.log Openswitch daemon logs /var/log
Fvt.log Sanity tests of hardware across reboots /var/log/fvt
Installer XS upgrade logs during factory reset/single bundle upgrades/clean install /var/mps/log

Citrix ADM (MAS)

The following table contains the important log file locations for Citrix Application Delivery Management (ADM):

Log File Purpose Location
mps_control.log Responsible for restarting any subsystem if it crashes /var/mps/log
mps_service.log Any request from UI/API will hit the service subsystem. Based on the request, it might process the request or route it to the appropriate subsystem. /var/mps/log
mps_inventory.log It does inventory from ADC/SD-WAN instances and updates instance’s information in the database. /var/mps/log

Citrix SD-WAN

The following table contains log locations for Citrix SD-WAN:

Log File Purpose Location
SDWAN_access.log User access attempts get logged here. In SD-WAN version 9.x, the logs are stored in the following path:

 

<Diagnostic Data File Name>/home/talariuser/log/diag/vw_sts_dir.zip

In SD-WAN version 10.x, the logs are stored in the following path:

 

<Diagnostic Data File Name>/vw_sts_dir.zip

For information on how to collect diagnostic data on Citrix SD-WAN refer here.

SDWAN_common.log Logs important information about the state of t2_app
SDWAN_config_update.log Logs related to the configuration changes
SDWAN_db.log This is for logging appliance connecting to following databases: config, reports, events, routing
SDWAN_Diagnostics.log Debug commands that are snapshots of current status of the software/data structures/counters
SDWAN_dynamic_conduit.log Logs detailing the state of dynamic conduit bring up and tear down
SDWAN_dyanmic_virtual_path.log Logs detailing the state of dynamic virtual_path bring up and tear down
SDWAN_events.log Logging from event processing are logged here
SDWAN_exceptions.log  

NetScaler SD-WAN software exceptions are logged here

SDWAN_filetransfer.log Logs related to change management distributing files across the network
SDWAN_firewall.log Firewall and NAT related events
SDWAN_hd.log Logging from hard disk monitoring are logged here
SDWAN_init.log Logging from process monitor are logged here
SDWAN_ip_learned.log Logs related to IP learning
SDWAN_management.log The activities of the management tools are logged here
SDWAN_paths.log Verbose details about what is seen on network paths
SDWAN_routes.log Logs related to route distribution through the Virtual WAN network
SDWAN_security.log Logs related to virtual path encryption and key rotation
SDWAN_snmp_poll.log Logs related to using SNMP to poll logs and counters
SDWAN_traffic_impact.log Logs related to tracking the amount of downtime a configuration change could cause
SDWAN_wd.log Logs related to the state of the watchdog
SDWAN_webconsole.log Logging from the UI code in goes here
SDWAN_hd.log Logging from hard disk monitoring are logged here
SDWAN_init.log Logging from process monitor are logged here
SDWAN_ip_learned.log  

Logs related to IP learning

all_routing_protocols.txt Import and Export filter Route´s counters
archive In this directory will exported the previous configuration files
Coredump* Directory that contains the main logs related to a memory crash
Current_cfg.txt The active configuration file name
 

Dynamic_routes.txt

 

SDWAN appliance Routing Table

Eth_*.cap Data captures from all the appliance interfaces
Icmp.log TTL expire Errors
Init.log Service initialization logs go in this file
Install_azure_services.log Installation logns in Azure
Install_esx_tools.log  

Installation logs in VMWare ESX

Install_kvm_tools.log  

Installation logs in KVM

Last_1000_path_events.txt Records the physical path congestion and bouncing events
Last_10000_events.txt records the last 10 000 events in the SDWAN
Ssup_upgrade.log Single Step Uprgare logs
Top.log Logs the SD-WAN processor’s top command periodically

 

Citrix Mobility

Citrix Content Collaboration (ShareFile)

The following table contains log file locations for Citrix Content Collaboration (previously ShareFile) Applications:

Log File (Client logs) Location
ShareFile Migration Tool C:\Users\%USERNAME%\AppData\Roaming\Citrix\ShareFile\Migration Tool\Logs
Citrix Sync for Windows Logs C:\Users\%USERNAME%\AppData\Local\Temp\ShareFile
Drive Mapper Logs C:\Users\%USERNAME%\AppData\Local\Temp\ShareFile
ShareFile

Desktop

(Windows)

Tool logs – C:\Users\%USERNAME%\AppData\Local\ShareFile\Desktop\Logs\

Installer logs – C:\Users\%USERNAME%\AppData\Local\Temp

Update logs – C:\Users\%USERNAME%\AppData\Local\Temp\ShareFile

ShareFile for Windows

 

Citrix Files

C:\Users\%USERNAME%\AppData\Local\Citrix\ShareFile\SFWindows

 

C:\Users\%USERNAME%\AppData\Local\Citrix\Citrix Files\Logs

ShareFile Desktop (Mac)

 

Citrix Files for Mac

~/Library/Logs/com.sharefile.desktop.widget

 

~/Library/Logs/com.sharefile.desktop.widget

Outlook

Plugin

Tool logs – C:\Users\%USERNAME%\AppData\Roaming\ShareFile\Outlook

Installer logs – C:\Users\%USERNAME%\AppData\Local\Temp\ShareFile

adx logs – C:\Users\%USERNAME%\documents\Add-in Express AND C:\Users\%USERNAME%\AppData\Local\Temp\ShareFile Outlook Plug-in

Citrix Files for

Outlook

Tool logs – C:\Users\%USERNAME%\AppData\Roaming\Citrix\Citrix Files for Outlook

adx logs – C:\Users\%USERNAME%\documents\Add-in Express AND C:\Users\%USERNAME%\AppData\Local\Temp\Citrix Files for Outlook

Medical Image Uploader C:\Users\%USERNAME%\AppData\Local\Temp\ShareFile Medical Image Uploader
Enterprise

Sync Manager

Win XP or Server 2003: C:\Documents and Settings\All Users\Application Data\ShareFile\EnterpriseSync
Print to ShareFile C:\Users\%USERNAME%\AppData\Local\ShareFile\PrintToShareFile\Logs\
Scan to ShareFile C:\Users\USERNAME\Desktop\ScanSnap ShareFile Integration Reports
On-Demand Sync Logs JIT config logs located C:\users\%USERNAME%\Appdata\Local\Temp\ShareFile

(they will be the SyncJITConfig logs)

 

C:\Windows\Temp\ShareFile – Typically the corresponding path is

C:\Windows\Temp– but may be different based on environment configuration.

The SyncUpdateService log file names are in the format:SyncService2_<timestamp>.log.

Desktop Sync C:\Users\%UserName%\AppData\Roaming\com.sharefile.sfsync.Desktop\Local Store
Desktop Widget Documents\ShareFile\Sfdw-log.txt
 

Desktop Sync for Mac

 

 

~/Library/Preferences/com.sharefile.sfsync.Desktop

User

Management

Tool (UMT)

C:\ProgramData\Citrix\ShareFile\User Management Tool (Grab the umt.log file / and the .results file in the “Results” folder)

C:\Users\%USERNAME%\AppData\Local\ShareFile\UMT\Logs

C:\ProgramData\Citrix\ShareFile\User Management Tool\Jobs

iOS 8 General > Privacy > Diagnostics & Usage > Diagnostic & Usage Data > Per-App or System logs here
Android Customers can submit the Android logs within the ShareFile App → Tap three bar / settings button – tap Help and Feedback, tap Send Log to ShareFile, get receipt number for our reference
Log File (Server logs) Location
StorageZone

Controller Logs

C:\inetpub\wwwroot\Citrix\StorageCenter\SC\logs

 

C:\inetpub\wwwroot\Citrix\StorageCenter\S3Uploader

 

IIS Logs: C:\inetpub\logs\LogFiles\W3SVC1

 

Citrix Endpoint Management (XenMobile)

The following table contains log file information for Citrix Endpoint Management (previously XenMobile):

Log File Purpose Location
Debug Log Contains useful information to debug error messages or server related actions
Admin Audit Log Audit information about activity on XenMobile console  In the XenMobile Console, click the wrench icon to open the Support page

Under Log Operations, click logs to view the logs

Upon Selecting a specific log file, the following            operations can be performed:

·       Download All

·       View

·       Rotate

·       Download

·       Delete

User Audit Log Information related to configured users For information on How to configure logging on Citrix Endpoint Management refer here.

===Supplemental Log Guidance===

ADC Troubleshooting

Citrix ADC provides several diagnostic tools to view console messages, event messages, and download traces.  Most of these utilities are available directly within the Citrix ADC GUI. This section focuses on command line diagnostic tools which can be leveraged in troubleshooting the Citrix ADC.

Command Line Diagnostics

nstrace.sh:  nstrace.sh is a Citrix ADC utility (script file) that allows network administrators to take ADC traces from the appliance.  The Citrix ADC trace captures all traffic going through the ADC appliance at any given time. The syntax for nstrace.sh is /ADC/nstrace.sh –sz0 –tcpdump 1.

This syntax will automatically create a trace file in the /var/nstrace directory. The administrator can press Ctrl-C on the keyboard to stop the trace. This trace can then be downloaded to a local host (via PSCP, WinSCP) and viewed on any packet capture program (i.e. Wireshark).

nstcpdump.sh: The /ADC/nstcpdump.sh script is a utility that emulates tcpdump syntax on ADC interfaces.  The main benefit of using nstcpdump.sh includes its filtering ability. Below is an example:

/ADC/nstcpdump.sh –w /var/nstrace/ftp.pcap host 192.168.1.1 and host 192.168.1.2 and tcp.port==21

The above filter allows for all FTP traffic between 192.168.1.1 and 192.168.1.2 to be captured on the Citrix ADC and downloaded to /var/nstrace/ftp.pcap.  This file can be downloaded to a local machine and viewed on Wireshark for easier analysis.

Local SYSLOG:  ADC stores all log files locally on the appliance under /var/log/ns.log. Details regarding authentication errors or ADC can be viewed by running the following command:

>shell

# cat /var/log/ns.log

tail –f /var/log/ns.log

Authentication Debugging Tools:  ADC provides a debugging utility to check for authentication successes and failures. Group extraction can also be validated using this utility. User details including group extraction can be viewed on screen by typing the following command, while a user is logging on to the VPN:

>shell

# cat /tmp/aaad.debug

The output of the command will provide helpful details on the authentication scheme used, success, failures, and cause of failures (i.e. incorrect password, bad bindings etc.).

Console Message Diagnostics:  The Citrix ADC provides useful console messages that can shed light on ADC performance. For example, using the following command below can easily identify IP address conflicts and duplex mismatches:

> shell

# nsconmsg -K newnslog -d consmsg (live)

or

# nsconmsg -K newnslog –K /var/nslog/newnslog -d consmsg (from latest file)

Event Message Diagnostics:  The Citrix ADC provides useful event messages that can provide insight on the status of configured ADC services and high availability. For example, the status of a specific configured service or notification of a failover or a reboot can be identified by running the command below:

> shell

# nsconmsg -K newnslog -d event (live)

or

# nsconmsg -K newnslog –K /var/nslog/newnslog -d event (from latest file)

 EPA Logging

By default, EPA plugin as well as VPN plugin does not log anything related to client machine for security reasons. From Citrix ADC version 11.0.64.34 onward, Citrix has introduced “EPA verbose logging” to enhance EPA troubleshooting. This setting is enabled on the Citrix ADC globally, and new EPA scan attempts will result in logs on the client. It is recommended once troubleshooting or pilot have concluded, to remove this logging setting from the Citrix ADC, so bad actors cannot gain insight via client logs, as to what the EPA scan is looking for.

The EPA scan failure logs are written in human readable language, so troubleshooting can be done on the user end without involving the administrator.

The following can be achieved using this EPA feature:

  • Provide verbose logging of which EPA scans passed/failed on the ADC
  • Display human readable logs for EPA scan failure on the client machine

Through CLI the following command can be run on the ADC for PreAuth and PostAuth EPA logging:

>set vpn param -clientSecurityLog ON

Note: vpn param must be set for PreAuth and PostAuth logging. If the clientSecurityLog is modified in a SessionAction whose Session Policy has ClientSecurity as the rule, the clientSecurityLog value in SessionAction will not be honored. All these settings must be configured at a global level under Citrix Gateway.

For Windows Vista, 7, 8, 8.1, and 10 the log file location is:

C:\Users\<username>\AppData\Local\Citrix\AGEE

For Windows XP:

C:\Documents and Settings\All Users\Application Data\Citrix\AGEE

For Mac OS:

~/Library/Application Support/Citrix/EPAPlugin/

All failed EPA scans are logged as error messages and successful scans are logged as debug messages. By default, error messages are logged in ns.log and to log debug messages in ns.log the loglevel needs to be increased to DEBUG. This can be done via the command line using the following command:

>set audit syslogParams -loglevel ALL

Note: It is recommended to remove debug logging once troubleshooting has concluded.

Debugging can be disabled using the following command:

>set audit syslogParams -loglevel EMERGENCY ALERT CRITICAL ERROR WARNING NOTICE INFORMATIONAL

The same process can be done via the Graphical user interface by:

  • Navigating to Configuration > System > Auditing > Settings > Change Auditing Syslog Settings
  • Check DEBUG under Log levels during troubleshooting
  • Uncheck DEBUG from Log Levels after troubleshooting is complete

StoreFront Troubleshooting

Fiddler Trace

In addition to verbose tracing on the StoreFront, Fiddler trace can be particularly useful when troubleshooting network issues between StoreFront services and Receiver for Web. For this, Fiddler trace should be enabled in StoreFront (Advanced settings), loopback must also be disabled. The confidentiality and integrity of outbound SSL connections which are proxied through fiddler maybe compromised during traffic capture The procedure of obtaining a fiddler trace must be performed only in a non-production environment and It should be noted that in case explicit authentication is enabled in Receiver for Web, user passwords will appear in the trace as clear text.

To obtain a fiddler trace of the network traffic between Receiver for Web Proxy and the StoreFront services, carry out the following steps:

  • Log in to the StoreFront server as local user with admin privileges
  • Edit the web.config file for Receiver for Web and enable fiddler tracing: <proxy enabled = “true” processName=”Fiddler” port=”8888” />
  • The web.config file is usually located in C:\inetpub\wwwroot\Citrix\StoreWeb\web.config
  • Run IIS Manager and click on Application pools under the server node. Then select the application pool named Citrix Receiver for Web and click Advanced Settings. Change the Application Pool identity to custom account and specify the same account used to log into the StoreFront server
  • Install and run Fiddler on StoreFront Server (logged in with elevated privileges)
  • From Fiddler’s Tools menu, select Fiddler Options. On the HTTPS tab, select Decrypt HTTPS traffic check box.
  • Run Fiddler on the StoreFront server and export all Fiddler sessions, after reproducing the problem
  • After the trace has been captured, log in to the StoreFront server with the same local admin account used while installing Fiddler and follow steps to restore system to its previous state
  • Run IIS Manager and reset identity for Citrix Receiver for Web application pool to the built-in account ApplicationPoolIdentity
  • Uninstall Fiddler
  • Run certmgr.msc and remove the Fiddler root certificate “DO_NOT_TRUST_FiddlerRoot” from the Trusted Root Certification Authorities store
  • Edit the web.config file for the Receiver for Web site and disable Fiddler tracing: <proxy enabled = “false” processName=”Fiddler” port=”8888” />

Citrix Profile Management Log Parser

Citrix Profile Management log parser can be used to analyze log files generated by Citrix Profile Management.  This section describes how to use the tool to analyze logs.

The zip file used to install the tool can be found here.

To use the tool, perform the following steps:

  • Launch the tool and enter the name of the remote machine on which the log parser will try to locate the log file
  • On the Open File dialog box, specify the location of the log file
  • If the machine can be reached, the tool tries to locate the UserProfileManager.log file in <systemroot>\system32\LogFiles\UserProfileManager.
  • If the file is not foun, the tool looks into HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Citrix\UserProfileManager\PathToLogFile to retrieve the log file location
  • If no machine name is specified, the local machine is used instead to prompt for a log file
  • The log parser displays the first error found in the log file, the errors are highlighted in red, the logon events appear in green and the logoff events in blue. Service starting and stopping events appear in grey.
  • Find button can be used to search text, filter information, warning and error messages.
  • Filtering based on Date, Time, Type, Username, Domain, Session ID or Thread ID is also possible. “Reset filter” option will clear all previously selected filters.
  • Filtering based on time span between two lines is also possible, this allows for setting custom time span (above 60 seconds) or use the preconfigured time spans of 5, 10 o 30 seconds. The display will be updated to show the time span selected.

Enabling Audit Log within Citrix Provisioning Services

Citrix Provisioning provides an auditing tool that records configuration on components within provisioning farms. The auditing tools saves the information to the provisioning database. It provides Citrix Engineers and Administrators with a way to troubleshoot and monitor any recent changes impacting system behavior or performance. Enabling audit logging is a Citrix leading practice on PVS deployments.

To enable auditing within Citrix Provisioning Services, perform the following steps:

  • In the Citrix Provisioning console, right click on the PVS farm and select Farm Properties option.
  • On the Options tab, under auditing, check the Enable auditing checkbox

The following managed objects within a Citrix Provisioning deployment are audited:

  • Farm
  • Site
  • Provisioning servers
  • Collection
  • Device
  • Store
  • vDisks

Recorded tasks include the following:

  • Citrix Provisioning console
  • MCLI
  • SOAP Server
  • PowerShell

CDFControl

CDFControl is an event tracing tool geared towards capturing Citrix Diagnostic Facility (CDF) trace messages from various Citrix tracing providers.  This tool is particularly useful when troubleshooting issues on specific components of the Citrix environment, such as on the delivery controllers, storefronts, or VDAs. The trace needs to be captured on the components and uploaded to Citrix Insight (https://cis.citrix.com) to be analyzed. Citrix Insight has smart capabilities to identify any discrepancies in configuration and suggests fixes as well.

This utility is available for download on the Citrix Downloads page. It is also available with the download of Citrix Scout utility, which is also equally useful for collecting trace files and troubleshooting various Citrix component issues.

The following steps need to be performed to collect a trace using CDFControl at system startup:

  • Start CDFControl and select Options from the Tools menu.
  • Specify the trace file path in the Startup trace file path for capturing startup trace section. Then click Save.
  • Select the Trace Categories as recommended by Citrix Technical Support.
  • With administrator privileges, select Startup Tracing and click Enable from the Tools menu.
  • After clicking Enable, the animated bar starts scrolling. This does not affect the procedure.
  • Close the CDFControl utility and restart the system after the Startup Tracing is enabled.
  • Start the CDFControl utility. After the system restarts and the error appears, disable the Startup Tracing option by selecting Disable.
  • Disable the Startup Tracing option by selecting Startup Tracing from the Tools menu and clicking Disable as described in the previous steps.
  • Stop the Citrix Diagnostics Facility COM server service.
  • Collect the trace log file (.etl) for analysis in the specified file path as set by the initial steps.
  • Start the Citrix Diagnostics Facility COM server service.
  • Upload trace log file(s) to Citrix Insight (https://cis.citrix.com) to be analyzed

How to Collect Diagnostic Data on Citrix SD-WAN Appliance

While troubleshooting issues relating to Citrix SD-WAN, engineers or administrators must often collect diagnostic data on the Citrix SD-WAN appliance. This section covers the steps required to collect Diagnostic data on the Citrix SD-WAN appliance and how to download it locally for viewing.

To collect diagnostic data, follow the steps listed below:

  • Logon to Citrix SD-WAN UI and navigate to Configuration> System Maintenance> Diagnostics> Diagnostic Data
  • Scroll-down and click Create New
  • Only 5 diagnostic packages ca exist on the system at any given time, delete any unwanted packages
  • Select the file from drop down and click Download Selected
  • To analyze logs, uncompress the vw_sts_dir.zip file and refer the table to look for relevant log files

How to Configure Logging on Citrix Endpoint Management

This section describes the steps required to configure logging on Citrix Endpoint Management.

Perform the following steps to configure logging on Citrix Endpoint Management:

  • In the XenMobile console, click the wrench icon to open the Support page
  • Under Log Operations, click the Log Settings option.
  • Within Log Settings, the following options can be specified:
  • Log Size: Controls the size of the log file and the maximum log file backups retained in the database.
  • Log level: This option is used to change log levels (like Fatal,Error,Warning,Info) or persist settings (log levels persist after reboot)
  • Custom Logger: This option allows administrators to setup custom logging; custom logs require a class name and a log level.
  • Chetan Kini
    Chetan Kini

    Chetan is a consultant focused on virtualization and cloud technologies. Chetan has years of experience in professional and managed services and has specialized in end-user computing with organizations across North America.

Subscribe
Notify of
guest

2 Comments
Inline Feedbacks
View all comments
sai
sai
4 years ago

Thanks a lot for sharing bro.

Ezekiel
Ezekiel
1 year ago

Thanks a lot it do worth it.

Redefine Your Approach to Technology and Innovation

Schedule a call to discover how customized solutions crafted for your success can drive exceptional outcomes, with Ferroque as your strategic ally.