Using tools to gather external logins to the Citrix Farm
There are a variety of ways to distinguish internal and external users of your Citrix farm. The method we employ is to utilize the logging that’s part of any Citrix Secure Ticket Authority (STA) in your Citrix Farm. You can turn logging on your designated STA’s by following the information in this Citrix article: CTX101997. Turning this on gives us the following data in logs (located in %PROGRAMFILES%\Citrix\Logs\)
... INFORMATION 2009/05/20:00:13:22 CSG1305 Request Ticket - Successful. A995AD36B87524A208BB23A804AC3110 V1 CSGTestData Thisistheextendeddata INFORMATION 2009/05/20:00:13:22 CSG1303 Ticket timed out. A8478127C7971E4CD95C28FFD2B85BBE INFORMATION 2009/05/20:00:13:23 CSG1305 Request Ticket - Successful. FF985D4B11DA3AE7B6CBBAA9CA833415 V1 CSGTestData Thisistheextendeddata INFORMATION 2009/05/20:00:13:23 CSG1303 Ticket timed out. CDE1751C367B45506481C26727C3E6C1 INFORMATION 2009/05/20:00:13:23 CSG1305 Request Ticket - Successful. 19078A551F501BCC0F77E7361EE76CAD V1 CSGTestData Thisistheextendeddata INFORMATION 2009/05/20:00:13:23 CSG1303 Ticket timed out. 414CB490647B8A2FCE023D66E7D0850E ... and so on. You will need to parse for a line like the following: INFORMATION 2009/05/20:00:13:24 CSG1305 Request Ticket - Successful. 5C6C67EB127CFDB0821DC88CA1C10972 V4 CGPAddress = XXX.XXX.XX.XXX:2598:localhost:1494 Refreshable = false XData = <!--DOCTYPE CtxConnInfoProtocol SYSTEM "CtxConnInfo.dtd"-->XXX.XXX.XX.XXX:1494USER@DOM.COMRemote Desktop AccessICA ICAAddress = XXX.XXX
From the above line we can get the ticket status, the username, the published application, and the target server that hosts the application. When this is parsed and placed in a database, we can associate a time and date with the ticket creation and determine how long the user is logged in and what applications they are running.
To accomplish the data gathering, we use tools from InterSect Alliance like Epilog Agent for Windows to tail the stalog files. This raw data is then sent to a server running Kiwi SysLog. Kiwi parses the data (using a script) and then inserts it into a database table. We’ve found these tools to be inexpensive and have a low resource utilization.
So, to sum up we have external users connecting to our Citrix farm and STA logs generating when they connect, what they run, and what server they connect to. We parse the logs into a database and that gives us a real-time/historical record of the user’s use of our Citrix farm. Next post will cover gathering average telecommuting statistics from the Internet.