Citrix NetScaler
NetScaler ADC/Gateway logs: SSL VPN sessions, load-balancer decisions, authentication events and policy matches.
EnginsightGlobal Fields (4)
| Field | Type |
|---|---|
ngs.id Unique identifier for the log entry. | string |
ngs.createdAt Timestamp when the event was created locally. | pdate |
ngs.indexedAt Timestamp when the log was indexed into the SIEM. | pdate |
ngs.source Origin or source system of the log. | string |
Reference-Specific Fields (75)
| Field | Type |
|---|---|
netscaler.ClientVersion Version string of the Citrix Receiver or Workspace app used by the client. | string |
netscaler.nsica_session_acr_count Number of ICA session ACR (Automatic Connection Reconnect) attempts made. | string |
netscaler.nsica_session_server_ip IP address of the ICA session's endpoint server. | text_general |
netscaler.app_termination_type Reason code for how the ICA application session was terminated. | string |
netscaler.ServerPort TCP port number on the server side of the connection. | pint |
netscaler.SubjectName Certificate subject name presented during SSL/TLS handshake. | text_general |
netscaler.ClientIP Source IP address of the client connection. | text_general |
netscaler.channel_id_1_val Application channel 1 value (e.g., graphics) throughput metric. | plong |
netscaler.client_cookie Session cookie assigned to the client for load balancing. | string |
netscaler.ica_rtt Round-trip time in milliseconds for the ICA protocol handshake. | plong |
netscaler.Module Internal module name generating the AppFlow record. | string |
netscaler.VserverServicePort Port number of the bound service on the virtual server. | pint |
netscaler.Vserver Name of the virtual server handling the traffic. | text_general |
netscaler.channel_id Numeric identifier of the ICA virtual channel in use. | pint |
netscaler.Nat_ip Translated (NAT) IP address if the client or server was behind NAT. | text_general |
netscaler.Message Text description or status message for this AppFlow record event. | text_general |
netscaler.SPCBId ICA session policy controller binding ID. | plong |
netscaler.User Username authenticated for the session if SSO or LDAP was used. | text_general |
netscaler.channel_id_4_val Application channel 4 metric (e.g., sound) throughput value. | plong |
netscaler.Sessionid Unique numeric session identifier assigned by NetScaler. | plong |
netscaler.app_launch_time Timestamp when the ICA application was launched. | pdate |
netscaler.Backend Name or IP of the backend service handling the request. | text_general |
netscaler.ProtocolVersion Version of the SSL/TLS protocol negotiated. | string |
netscaler.serverside_rtt Round-trip time in milliseconds measured on the server side. | plong |
netscaler.Browser User-agent string of the browser, if HTTP traffic is proxied. | text_general |
netscaler.ServerIP IP address of the server endpoint handling the session. | text_general |
netscaler.app_process_id Process ID of the ICA application on the server side. | plong |
netscaler.SessionID Alternative numeric session identifier (duplicate of Sessionid). | plong |
netscaler.SSO Single Sign-On method used (e.g., AD, SAML). | string |
netscaler.nsica_session_server_port Server-side port used for the ICA session. | pint |
netscaler.Vserver_ip IP address of the virtual server. | text_general |
netscaler.Errmsg Error message text if the connection or request failed. | text_general |
netscaler.Session Alphanumeric session key (string form) assigned internally. | string |
netscaler.Domain Client's AD domain or user domain name. | text_general |
netscaler.channel_update_end Timestamp when the dynamic channel update completed. | pdate |
netscaler.clientside_jitter Network jitter in milliseconds as measured by the client. | plong |
netscaler.timestamp Timestamp when the AppFlow record was generated. | pdate |
netscaler.nsica_session_reconnect_count Count of reconnection attempts after ICA session interruption. | plong |
netscaler.IssuerName Certificate issuer name used in SSL/TLS handshake. | text_general |
netscaler.device_serial_number Serial number of the NetScaler appliance reporting the record. | plong |
netscaler.nsica_session_client_port Client-side port used for the ICA session. | pint |
netscaler.Severity Log severity level (e.g., INFO, WARNING, ERROR). | string |
netscaler.channel_update_begin Timestamp when a dynamic channel update was initiated. | pdate |
netscaler.startup_duration Time in milliseconds taken for the session startup phase. | plong |
netscaler.app_name Name of the ICA application or published resource launched. | text_general |
netscaler.module_path Internal filesystem path of the module generating the record. | text_general |
netscaler.serverside_packet_retransmits Number of TCP packet retransmits seen on the server side. | pint |
netscaler.Client_ip Alternate field name for client IP (duplicate of ClientIP). | text_general |
netscaler.nsica_session_status Numeric status code for the current ICA session state. | plong |
netscaler.Reason Textual reason for a session close or error event. | text_general |
netscaler.VserverServiceIP IP address of the service bound to the virtual server. | text_general |
netscaler.Groups Comma-separated list of AD groups the user belongs to. | text_general |
netscaler.clientside_txbytes Number of bytes transmitted from client to server. | plong |
netscaler.launch_mechanism Method used to launch the ICA application (e.g., HTML5, ICA file). | string |
netscaler.CipherSuite SSL/TLS cipher suite negotiated for the session. | text_general |
netscaler.session_guid Globally unique identifier (GUID) for the session instance. | string |
netscaler.connection_priority Priority level assigned to the connection by the NetScaler policy. | pint |
netscaler.session_end_time Timestamp marking the end of the session. | pdate |
netscaler.app_termination_time Timestamp when the ICA application process terminated. | pdate |
netscaler.EventID Numeric identifier of the AppFlow event type. | plong |
netscaler.ClientPort Port number on the client side of the connection. | pint |
netscaler.Method Request method if HTTP traffic is being monitored (e.g., GET, POST). | string |
netscaler.channel_id_5_val Application channel 5 metric (e.g., clipboard) throughput value. | plong |
netscaler.clientside_packet_retransmits Number of TCP packet retransmits seen on the client side. | plong |
netscaler.Failure_reason Detailed text explaining why the session or request failed. | text_general |
netscaler.EventType High-level string categorizing the AppFlow record (e.g., Flow, Audit, HDX). | text_general |
netscaler.channel_id_2_val Application channel 2 metric (e.g., file) throughput value. | plong |
netscaler.serverside_jitter Network jitter in milliseconds as measured by the server. | plong |
netscaler.clientside_rxbytes Number of bytes received by the client from the server. | plong |
netscaler.clientside_rtt Round-trip time in milliseconds measured by the client for data packets. | plong |
netscaler.HandshakeTimeMs Time in milliseconds taken to complete the SSL/TLS handshake. | plong |
netscaler.Endpoint Requested URI or endpoint path if HTTP monitoring is enabled. | text_general |
netscaler.channel_id_3_val Application channel 3 metric (e.g., print) throughput value. | plong |
netscaler.flags Bitmask of flags indicating record attributes (e.g., encryption state). | plong |
netscaler.nsica_session_client_ip Client IP recorded for ICA session in NetScaler Gateway multi-hop mode. | text_general |
Sample Log Event
Below is a representative JSON log entry showing key fields as they’re emitted by the system. Depending on the context of the event, some fields may be omitted if they’re not applicable.