Citrix Xenserver XenCenter RBAC logging for Mcafee/Nitro SIEM

Wish you could log activity occurring against your XEN Center environment?  I did as well.

I was unable to find any useful Citrix XenServer logging documents that outlined what was being logged, where and the format.  But perhaps they do exist and I would appreciate any community feedback that includes links that I could review.

This was a very important data source in my environment to monitor so I took it upon myself to research viable methodologies and options to get this information into the McAfee SIEM as sadly this didn’t exist as a predefined data source.  Ultimately I settled on the RBAC events as the most viable, easy to ingest, and immediately useful events to pursue.  There are numerous log file sources in XEN but unfortunately the signal to noise ratio tends to be very poor and when coupling that fact with lack of documentation on types and format of log entries in these files it seemed too large of a hurdle to overcome in a short period of time.  Once again any feedback from the community here might be of help and I would welcome it.

So find below my first attempt at incorporating XEN center events into the McAfee SIEM product.  It is incomplete, but still useful in MHO.


The following rules and processes were developed against a Citrix XEN server 6.1 environment but I have reason to believe it should e quite effective against 5.6 and 6.2 pools as well.

My approach:

Targeting the RBAC role based security events which tend to capture a large number of relevant events occuring against the XEN Server environment by admins and automated processes with little to no noise.

To log RBAC activity it is necessary to add the following line to the XEN management server syslog.conf file: \etc\syslog.conf    to send RBAC events via SYSLOG to the McAfee SIEM receiver.  I would do this against the pool master server only, otherwise you will get duplicate events if deployed to more than one server.   Risk note: when the pool master is down you may lose events.

local6.* @mcafeesiemreceiver IPorDNSaddress

* In XEN 6.1 facility local6 appears to be dedicated to RBAC activity and can be instructed to send to syslog destination server.
Custom rules are developed to parse the RBAC data and separate out relevant entries and data.

Custom ASP rules have been developed to parse out relevant events and respective data fields from RBAC syslog entries.

Setting up a data source involves:

  1. Import the latest “XenServer” custom ASP parser rules are imported to the SIEM policy panel.
    WARNING: You will likely want to edit the attached XML policy specification to include Signature ID numbers valid in your deployment or at a minimum specify on import that any duplicates result in a new Signature being created AND NOT TO REPLACE any existing signature IDs.  Otherwise you may delete some of you own created signatures!  example for each rule edit the 5000026 tags.  Also I “Tagged” these XENserver events into a custom “TAG” labelled: XENServer.  You may or may not want this designation which can be changed in the following tag: XenServer.
  2. Adding a Generic Syslog Data source for each XEN pool to be monitored.
  3. Enabling the custom Xenserver ASP rules for just the XenServer data source!
  4. Modify /etc/syslog.conf on Xen server pool master to send local6 events to receiver, and then restart syslog service.

The following events are currently captured, there are more and should appear in subsequent releases of this XENServer ASP parser rule.   Please feel free to modify and contribute!

  • VM.Start
  • VM.set_protection_policy  (unfortunately Citrix XEN in all their wisdom has deprecated this feature in 6.2!)
  • VM.set_name_label
  • VM.set_VCPUs_max
  • VM.Destroy
  • VDI.Destroy
  • Session.Create
  • Message.Destroy
  • Async.VMPP.create (deprecated in Xen6.2)
  • Async.VM.snapshot
  • Async.VM.Provision
  • Async.VM.clone
  • Async.VDI.Destroy

Link to XENCenter SIEM ASP rule file


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s