Skip to main content
adem_netsys
adem_netsys
Explorer III
May 29, 2025
Question

Get Windows Log with Citrix LB

  • May 29, 2025
  • 3 replies
  • 1016 views

Hi guys,

 

We want to get the collectors behind LoadBalancer. We have no problem with syslog, but we get Windows logs with agent and we can see the logs with tcpdump but we cannot see them on GUI. What could be the reason for this?

 

Thanks in advance

    3 replies

    lbahtarliev
    lbahtarliev
    New Member
    May 30, 2025

    Hello there,

    Did you also created a service on the LB that is publishing port 443 to the collectors? The agents upload logs via HTTPS, so if you do not create a HTTPS service and just point them to the LB VIP Address, they won't work. Also, did you have certificate validation enabled in the windows agents' configuration? If yes, did you use a trusted certificate on the HTTPS service on the LB? Finally, check /var/log/httpd/ssl_access_log, ssl_request_log, ssl_error_log via CLI on your collectors. Do you see requests coming from the IP Address of the Citrix appliance? 
    Let me know the answers and results and I can help you further. 

     

    Cheers,

    Lyuben

    adem_netsys
    adem_netsysAuthor
    Explorer III
    May 31, 2025

    Hi @lbahtarliev 

     

    We did 443 routing on LB and on the windows side we are routing to the public ip of the collector, but we did not do certificate validation. When we check the /ssl_access_log output on the collector, we see 200 output.

    lbahtarliev
    lbahtarliev
    New Member
    June 3, 2025

    Hi @adem_netsys ,

    Sorry for my delayed response. I was on a business trip without time to check the community. 

    A few things to look at:

    1. What is the IP address in the ssl_access_log you see on the collectors?
    2. Do you see the agents registered in: Admin -> Health -> Agent Health? What is their status and the IP Address (is it the actual windows machine IP Address or other, maybe the one of the load balancer backend i.e. SNIP) there?
    3. Did you setup a proper Host to Template Association in Admin -> Setup -> Windows Agent? Especially defined the devices, as well as defined Virtual Collector(s) pointing to the VIP Address/Hostname of the Load Balancer?
    4. Can you check if by any chance you are not receiving these windows agents logs from the LB SNIP? I mean run a query where reporting IP is the LB backend IP it uses to connect to the collectors (in Citrix world it is called SNIP - Source Network IP)?

    Cheers,

    Lyuben

    adem_netsys
    adem_netsysAuthor
    Explorer III
    June 4, 2025

    Hi @lbahtarliev 

    No problem,

    In ssl_access_log, I search for win internet exit ip and I see 200 output. Agent status running active but event status is empty because there is no log.

     

    cat /etc/httpd/logs/ssl_access_log | grep "Winsource public ip"
    "Winsource public ip"- - [03/Jun/2025:01:00:40 +0300] "PUT /phoenix/rest/windowsAgent/update HTTP/1.0" 200 280

     

     

    Ekran görüntüsü 2025-06-04 184548.png

    lbahtarliev
    lbahtarliev
    New Member
    June 7, 2025

    Hmmm, I am starting to get the puzzle together. Indeed a scheme or diagram of your complete setup and architecture would have been nice. :) 

    Anyways. The log you showed me I am almost certain you found this in the supervisor ssl_access_log? Or not? By default, the win agent puts health data to supervisor, to the URL you sent from the ssl_access_log.

    do check the same log file on the collector. 

    In the windows agent configuration, host to template association choose the windows agent device from the CMDB (you should have it there if it was able to successfully reach the supervisor and register during installation). Then remove select all and any collectors if selected in the host to template association, enter the public VIP address/hostname of the LB that is publishing the collectors https port to the virtual collector field. Save, apply and pray :)

     

    BR

    Terms & ConditionsAccessibility statement