Get Windows Log with Citrix LB

adem_netsys · ‎05-29-2025

Hi guys,

We want to get the collectors behind LoadBalancer. We have no problem with syslog, but we get Windows logs with agent and we can see the logs with tcpdump but we cannot see them on GUI. What could be the reason for this?

Thanks in advance

lbahtarliev · ‎05-30-2025

Hello there,

Did you also created a service on the LB that is publishing port 443 to the collectors? The agents upload logs via HTTPS, so if you do not create a HTTPS service and just point them to the LB VIP Address, they won't work. Also, did you have certificate validation enabled in the windows agents' configuration? If yes, did you use a trusted certificate on the HTTPS service on the LB? Finally, check /var/log/httpd/ssl_access_log, ssl_request_log, ssl_error_log via CLI on your collectors. Do you see requests coming from the IP Address of the Citrix appliance?
Let me know the answers and results and I can help you further.

Cheers,

Lyuben

URLs point to web pages, not to people.

adem_netsys · ‎05-31-2025

Hi @lbahtarliev

We did 443 routing on LB and on the windows side we are routing to the public ip of the collector, but we did not do certificate validation. When we check the /ssl_access_log output on the collector, we see 200 output.

lbahtarliev · ‎06-03-2025

Hi @adem_netsys ,

Sorry for my delayed response. I was on a business trip without time to check the community.

A few things to look at:

What is the IP address in the ssl_access_log you see on the collectors?
Do you see the agents registered in: Admin -> Health -> Agent Health? What is their status and the IP Address (is it the actual windows machine IP Address or other, maybe the one of the load balancer backend i.e. SNIP) there?
Did you setup a proper Host to Template Association in Admin -> Setup -> Windows Agent? Especially defined the devices, as well as defined Virtual Collector(s) pointing to the VIP Address/Hostname of the Load Balancer?
Can you check if by any chance you are not receiving these windows agents logs from the LB SNIP? I mean run a query where reporting IP is the LB backend IP it uses to connect to the collectors (in Citrix world it is called SNIP - Source Network IP)?

Cheers,

Lyuben

URLs point to web pages, not to people.

adem_netsys · ‎06-04-2025

Hi @lbahtarliev

No problem,

In ssl_access_log, I search for win internet exit ip and I see 200 output. Agent status running active but event status is empty because there is no log.

cat /etc/httpd/logs/ssl_access_log | grep "Winsource public ip"
"Winsource public ip"- - [03/Jun/2025:01:00:40 +0300] "PUT /phoenix/rest/windowsAgent/update HTTP/1.0" 200 280

lbahtarliev · ‎06-07-2025

Hmmm, I am starting to get the puzzle together. Indeed a scheme or diagram of your complete setup and architecture would have been nice. :)

Anyways. The log you showed me I am almost certain you found this in the supervisor ssl_access_log? Or not? By default, the win agent puts health data to supervisor, to the URL you sent from the ssl_access_log.

do check the same log file on the collector.

In the windows agent configuration, host to template association choose the windows agent device from the CMDB (you should have it there if it was able to successfully reach the supervisor and register during installation). Then remove select all and any collectors if selected in the host to template association, enter the public VIP address/hostname of the LB that is publishing the collectors https port to the virtual collector field. Save, apply and pray :)

BR

URLs point to web pages, not to people.

Get Windows Log with Citrix LB

Nominate a Forum Post for Knowledge Article Creation

You are leaving our website