Rodrigo Melo Posted October 19, 2017 Share Posted October 19, 2017 Hello I configured the ip reputation in netscaler, I created a responder rule for blocked malicios ip and bind in virtual server. In statistics, I see several hits in the rule, but I can not find the ip's blocked in the logHow I visualize th ip's blocked? Tag "Log in newsnslog" is able Link to comment Share on other sites More sharing options...
Paul Blitz Posted October 19, 2017 Share Posted October 19, 2017 First of all, enabling the "Log in Newnslog" probably doesn't add anything for you, as you are probably only wanting to look in the syslog (newnslog is the binary format log file). What expression did you use in the log action? (That's what defines the detail of what gets written to the syslog file) Link to comment Share on other sites More sharing options...
Rodrigo Melo Posted October 19, 2017 Author Share Posted October 19, 2017 I configure the log action with Log Level = Alert and Expression "true" Link to comment Share on other sites More sharing options...
Rhonda Rowland1709152125 Posted October 19, 2017 Share Posted October 19, 2017 1) Like Paul said, I would keep logging in newnslog off and rely on logging to syslog (default) instead. If the value is off, you will log to syslog (/var/log/ns.log) and if enabled, you are reporting to nslog instead (/var/nslog/newnslog) 2) In your syslog parameters (global setting) or individual syslog policies (if logging to external log location), you need to ENABLE "user configurable log messages". This will allow any policies with audit actions (custom logging) to report in whichever log you expect. If this setting is not enabled, you still won't see the audit logs. 3) Finally, in your responder policy performing the IP_Reputation filtering, configure the appropriate audit log actions. When the policies are hit, your audit actions will now be reported to syslog (or nslog depending on above settings). Link to comment Share on other sites More sharing options...
Rodrigo Melo Posted October 20, 2017 Author Share Posted October 20, 2017 1) Like Paul said, I would keep logging in newnslog off and rely on logging to syslog (default) instead. If the value is off, you will log to syslog (/var/log/ns.log) and if enabled, you are reporting to nslog instead (/var/nslog/newnslog) 2) In your syslog parameters (global setting) or individual syslog policies (if logging to external log location), you need to ENABLE "user configurable log messages". This will allow any policies with audit actions (custom logging) to report in whichever log you expect. If this setting is not enabled, you still won't see the audit logs. 3) Finally, in your responder policy performing the IP_Reputation filtering, configure the appropriate audit log actions. When the policies are hit, your audit actions will now be reported to syslog (or nslog depending on above settings). I will test this in the next week and post the result Thanks everyone for all help Link to comment Share on other sites More sharing options...
Pedro Huaroto M Posted December 8, 2020 Share Posted December 8, 2020 Hi Rodrigo, you manage to have the IPs blocked by iprep in the logs? Thanks you Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now