Citrix Log Reference

Log Sample

Learn what a raw Citrix event looks like before it’s processed in Logpoint:

Citrix Netscaler v14.1

<134>1 2025-02-06T10:01:10Z domainxxx-xxxxx01 AAA 0-PPE-0 - - default Message 776704 0 : "nFactor: serialized aainfo ctx_hint%xxxxx-xxx-u--xxxx-xxxx"

<134>1 2025-03-20T09:13:24Z xxx-xxxxx01 AAA 0-PPE-0 - - default Message 53579 0 : "SAML nFactor: context found in the url"

<134>1 2025-02-06T10:02:35Z domainxxx-xxxxx01 AAATM 0-PPE-0 - - default Message 776719 0 : "SAML: encryptedKey is properly base64 decoded, result len is 3776"

<134>1 2025-03-20T08:02:31Z dcai-xxxxx01 AAATM 0-PPE-0 - - default Message 53277 0 : "SAML: Processing Logout Message: /cgi/logout"

<133>1 2025-02-06T10:12:53Z domainxxx-xxxxx01 EVENT 0-PPE-0 - - default STATECHANGE 776923 0 : Device "self node 11.22.33.44" - State Secondary (Remote node - Undefined master state, UP)

<134>1 2025-02-06T10:06:19Z domainxxx-xxxxx01 ICA 0-PPE-0 - - default Message 776848 0 : "ns_vpn_csg.c:8168 [TECHSUPPORT][LAUNCH] Message = Received response from STA server {sta-server=11.22.33.44:443,type=ResponseTicketRefresh}"

<134>1 2025-03-20T07:45:14Z xxx-xxxxx01 ICA 0-PPE-0 - - default Message 53174 0 : "ns_vpn_csg.c:3054 [TECHSUPPORT][LAUNCH][Remote ip = 1.2.3.4:5000] [EDT][CGP] [ICAUUID=000aaaaa-aaaa-aaaa-aaaa-eeaaaaaaaaaa] Message = App/Desktop launch initiated {client=1.2.3.4:5000}"

<134>1 2025-02-06T10:14:19Z domainxxx-xxxxx01 PITBOSS1 0-PPE-0 - - default Message 0 0 : "Thu Feb 6 10:14:19 2025 Adding pitboss watch on (47762) for ()"

<134>1 2025-02-07T13:15:51Z domainxxx-xxxxx02 SSLVPN 0-PPE-0 - - default HTTPREQUEST 327693 0 : Context [email protected] - SessionId: 275 - [TECHSUPPORT][ENUMERATION] xxxxxx.domainxxx.dk User xxxuser : Group(s) N/A : Vserver 192.168.1.1:443 - 02/07/2025:13:15:51 GMT : Message = SSO is ON : GET /Citrix/domainxxxWeb/assets/workspace/Login.xxxx.js - -

<134>1 2025-02-07T14:12:24Z domainxxx-nsvpx02 SSLVPN 0-PPE-0 - - default ICAEND_CONNSTAT 328920 0 : [TECHSUPPORT][LAUNCH][TCP][CGP][ICAUUID=0000000-0000-0000-0000-0000000000] Source 2.2.2.2:22222 - Destination 1.2.3.4:3333 - customername - username:domainname useryyy:domainxxx - startTime "02/07/2025:10:01:45 GMT" - endTime "02/07/2025:14:12:24 GMT" - Duration 04:10:39 - Total_bytes_send 29724500 - Total_bytes_recv 3037818 - Total_compressedbytes_send 0 - Total_compressedbytes_recv 0 - Compression_ratio_send 0.00% - Compression_ratio_recv 0.00% - connectionId 0000000

<134>1 2025-03-20T09:14:04Z xxx-xxxxx01 SSLVPN 0-PPE-0 - - default Message 53594 0 : "get_session user: , sessionto: 30000, aaa_info flags 1 flags2 1000, new webview 0, sess flags2 0, flags3 0 flags4 8000 ssoDomain <>, ssoUsername: , ssoUsername2: "

<134>1 2025-03-20T06:17:06Z xxx-xxxxx01 SSLVPN 0-PPE-1 - - default Message 114677 0 : "AAA AUTHV3:webview done, resuming forms, non-owner, sending c2c to owner, flags2 200002, flags3 40080008

<134>1 2025-02-07T14:17:47Z domainxxx-xxxxx02 SSLVPN 0-PPE-0 - - default Message 329064 0 : "ns_ssl_vpn_appflow.c:2087 [TECHSUPPORT][GWINSIGHT] Message = Sent logout record [SessSeq = 116] Username=xxxuser Gwip=1.2.3.4:443 LogoutMode=202 email= TotalBytesSent=1027 TotalBytesRecvd=22470 "

<134>1 2025-03-20T09:14:04Z xxx-xxxxx01 SSLVPN 0-PPE-0 - - default Message 53600 0 : "ns_ssl_vpn_appflow.c:926 [TECHSUPPORT][GWINSIGHT][Remote ip = 1.1.1:5000][AAA Username = xxxyy][BackendIP = 0.0.0.0:80][SessSeq = 75] Insight Username=xxxyy Gwip=1.2.3.4:443 StatusCode=0 CSappid=0 CSAppname=(null) VPNfqdn=xxx.xxx.dk Authtype=0 EPAid=(null) AuthStage=1 AuthDuration=0 AuthAgent= Groupname= Policyname= CurfactorPolname= NextfactorPolname= CSecExpr= Devicetype=0 Deviceid=0 email= Flags=1 Message = Sent auth record"

<134>1 2025-03-20T07:45:14Z xxx-xxxx01 SSLVPN 0-PPE-0 - - default Message 0000 0 : "ns_dtls_udt.c:2284 [TECHSUPPORT][Remote ip = 1.1.1.1:5000][Username = xxxx] Message = DTLSUDT (11111_111111_11) Message = App launch succeeded [LAUNCH][EDT][CGP][ICAUUID=000aaaaa-aaaa-aaaa-0000-aaaaaaaaaaaa] Client - UDT version: 7, windowsize: 32768, initialudtseq: 0x15b02b6, mss: 1500, Server - UDT version: 7, windowsize: 16384, initialudtseq: 0x15b02b6, mss: 1500, AuthType: STA-ICA, ServiceProfile: False, Product: unknown, VdaUuiud: (null), Rendezvous Capability: 0, SSL Version: DTLS1.2, CipherSuite: TLS1.2-ECDHE-RSA-AES-256-SHA384"

Citrix Netscaler

<134>2022-02-18 13:18:01 xxxxxx PPE-0 : SSLVPN ICASTART 524433 : Source xxxxx:122 - Destination xxxxx:88 - username:domainname xxxxx:xxxxx - applicationName abc- Developer Desktop - startTime "07/10/2019:12: 54:47 GMT" - connectionId abc

Citrix Gateway

<30>Feb 22 10:54:19 xxxxx citrix secure gateway[info] 184 Client IP [1.1.1.1:12345] with username [xxxxx] connected successfully to server [1.1.1.2:1441] resource [xxxxx], using protocol [ICA].

Citrix XenMobile

<14>1 2022-09-12T15:08:23.394+02:00 localhost XMS - AdminAudit [@18060 app.name="ApplePush" device.id="xxxxx" event.action="AUTO_ACTION_OPERATION_REQUEST" event.status="SUCCESS" push.device="54" push.id="841" push.info="[UID=841,usr=xxxxx,dev=54\]" push.target="ApplePushTarget[os=iOS, device=xxxxx user=xxxxx type=DEVICE\]" push.user="[email protected]" session.id="xxxxx" user.id=""] {"source":"xxxxx","deviceUser":"[email protected]","deviceIMEI":"35 207475567756006 94590872860 9"}

Citrix XenDesktop

<14>Sep 3 04:49:48 xxxxx Citrix_Configuration_Api: {"EventTime":"2022-09-03 04:49:48","Hostname":"xxxxx","Keywords":"36028797018963968","EventType":"INFO","SeverityValue":2,"Severity":"INFO","EventID":1,"SourceName":"Citrix Configuration Api","TaskValue":1,"RecordNumber":547,"ExecutionProcessID":0,"ExecutionThreadID":0,"Channel":"Citrix Delivery Services","Message":"The web application has started.","Opcode":"Info","EventData":"<Data>The web application has started.</Data>","EventReceivedTime":"2018-09-03 04:49:48","SourceModuleName":"wineventlog_in","SourceModuleType":"im_msvistalog"}

Citrix SDWAN

<132>Aware[2235]: [2019-12-16 09:55:57 UTC] [NOTICE]: AUTHENTICATION Authentication Event UNDEFINED xxxxx (172.20.15.110) logged in as Admin via Local

Last updated 9 hours ago

Was this helpful?

Good evening

hashtagLog Sample

hashtagCitrix Netscaler v14.1

hashtagCitrix Netscaler

hashtagCitrix Gateway

hashtagCitrix XenMobile

hashtagCitrix XenDesktop

hashtagCitrix SDWAN

Log Sample

Citrix Netscaler v14.1

Citrix Netscaler

Citrix Gateway

Citrix XenMobile

Citrix XenDesktop

Citrix SDWAN