Citrix NetScaler Gateway VPN
Citrix ADC / NetScaler Gateway VPN syslog events covering the full SSL VPN session lifecycle — authentication, login/logout, ICA application launches, TCP/UDP connection statistics, HTTP resource access, client security checks, session timeouts, and license limit alerts.
Quick Start
uv tool install eventum-generator
git clone https://github.com/eventum-generator/content-packs.git
cd content-packs
eventum generate \
--path generators/vpn-citrix-netscaler/generator.yml \
--id vpn-citrix-netscaler \
--live-mode trueEvent Types
| Event ID | Description | Frequency | Category |
|---|---|---|---|
| sslvpn-login | SSL VPN session login with client and group info | ~11.1% | authentication |
| aaa-login-failed | Failed authentication with failure reason | ~0.9% | authentication |
| sslvpn-logout | Session end with duration, bytes, and connection stats | ~6.1% | authentication |
| ica-start | Citrix ICA application launch (Workspace apps) | ~20.0% | network |
| ica-end | ICA application terminated with transfer stats | ~13.3% | network |
| tcp-connstat | TCP connection statistics for VPN tunnel | ~22.2% | network |
| udp-flowstat | UDP flow statistics (DNS, NTP, SNMP, etc.) | ~4.4% | network |
| http-request | HTTP resource access through VPN | ~16.7% | network |
| tcp-conn-timedout | VPN connection timed out | ~2.8% | network |
| clisec-check | Client endpoint security compliance check | ~1.7% | security |
| license-limit | VPN license limit reached alert | ~0.8% | security |
Realism Features
- Correlated VPN sessions — login events produce session context consumed by logout with matching user/IP/session ID
- Correlated ICA sessions — ICA start events produce context consumed by ICA end with matching app/UUID/user
- Logout method distribution — UserLogout (55%), TimedOut (25%), AdminLogout (10%), InternalError (5%), ForceLogout (5%)
- Session duration distribution — short, medium, long, workday, and extended durations
- Authentication failure scenarios — 70% real users with typos, 30% attacker-style usernames
- Client security checks with endpoint compliance expressions (AV, firewall, OS version, domain)
Sample Output
{
"@timestamp": "2026-03-06T10:15:22.000000+00:00",
"event": {
"action": "logged-in",
"category": ["authentication", "session"],
"dataset": "citrix_adc.log",
"kind": "event",
"module": "citrix_adc",
"outcome": "success",
"type": ["start", "allowed"]
},
"citrix": {
"device_product": "NetScaler",
"device_vendor": "Citrix",
"hostname": "NSGW-01",
"name": "SSLVPN LOGIN",
"session_id": "3847291"
},
"citrix_adc": {
"log": {
"browser_type": "Citrix Workspace 24.3.0.36",
"client_ip": "198.51.100.42",
"group": "VPN_Users",
"session_id": "3847291",
"sslvpn_client_type": "ICA",
"user": "jsmith",
"vserver": { "ip": "10.200.1.10", "port": 443 }
}
},
"observer": {
"product": "Netscaler",
"type": "firewall",
"vendor": "Citrix"
},
"user": { "name": "jsmith", "domain": "corp.example.com" }
}Parameters
| Parameter | Default | Description |
|---|---|---|
| hostname | NSGW-01 | NetScaler Gateway hostname |
| domain | corp.example.com | Domain for FQDN and user domain |
| vserver_ip | 10.200.1.10 | VPN virtual server IP |
| nat_ip | 203.0.113.50 | NAT/mapped IP address |
| agent_id | c3d4e5f6-... | Filebeat agent ID |
| agent_version | 8.17.0 | Filebeat version |
Related Generators
Nginx Access & Error Logs
Nginx reverse proxy and web server — access logs with upstream timing, error logs with module context, bot/crawler traffic, scanner probes, and correlated 4xx/5xx error entries.
Apache HTTP Server
Apache httpd access and error logs — page/asset/API requests, bot crawlers (Googlebot, GPTBot), scanner probes, 3xx redirects, and correlated 4xx/5xx error log entries with module context.
Cisco AnyConnect VPN
Cisco ASA AnyConnect SSL VPN — session lifecycle from RADIUS authentication through tunnel establishment, IP assignment, DAP policy evaluation, session roaming between gateways, to graceful disconnection.