Collect Citrix StoreFront logs
This document explains how you can ingest Citrix StoreFront logs to Google Security Operations using Bindplane.
Citrix StoreFront is a web application that provides an enterprise application store for Citrix virtual desktops and applications. It authenticates users to Citrix Virtual Apps and Desktops sites and aggregates available resources into a single portal. StoreFront writes authentication, session launch, and service events to the Windows Event Log under Citrix-prefixed event sources.
Before you begin
Make sure you have the following prerequisites:
- A Google SecOps instance
- Windows Server 2016 or later with
systemd - Network connectivity between the Bindplane agent and the internet
- If running behind a proxy, ensure firewall ports are open per the Bindplane agent requirements
- Administrative access to the Windows Server hosting Citrix StoreFront
- Citrix StoreFront 2308 or later installed and configured
Get Google SecOps ingestion authentication file
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Collection Agents.
- Download the Ingestion Authentication File. Save the file securely on the system where Bindplane will be installed.
Get Google SecOps customer ID
- Sign in to the Google SecOps console.
- Go to SIEM Settings > Profile.
- Copy and save the Customer ID from the Organization Details section.
Install the Bindplane agent
Install the Bindplane agent on your Windows operating system according to the following instructions.
Windows installation
- Open Command Prompt or PowerShell as an administrator.
Run the following command:
msiexec /i "https://github.com/observIQ/bindplane-agent/releases/latest/download/observiq-otel-collector.msi" /quietWait for the installation to complete.
Verify the installation by running:
sc query observiq-otel-collector
The service should show as RUNNING.
Additional installation resources
For additional installation options and troubleshooting, see Bindplane agent installation guide.
Configure the Bindplane agent to ingest Windows Event Logs and send to Google SecOps
Locate the configuration file
- Open Command Prompt as an administrator.
Navigate to the Bindplane agent installation directory and open the configuration file:
notepad "C:\Program Files\observIQ OpenTelemetry Collector\config.yaml"
Edit the configuration file
Replace the entire contents of
config.yamlwith the following configuration:receivers: windowseventlog/storefront_application: channel: Application raw: true start_at: end operators: - type: filter expr: 'record["source_name"] matches "^Citrix"' processors: batch: exporters: chronicle/storefront: compression: gzip creds: '{ "type": "service_account", "project_id": "YOUR_PROJECT_ID", "private_key_id": "YOUR_PRIVATE_KEY_ID", "private_key": "-----BEGIN PRIVATE KEY-----\nYOUR_PRIVATE_KEY\n-----END PRIVATE KEY-----\n", "client_email": "YOUR_CLIENT_EMAIL", "client_id": "YOUR_CLIENT_ID", "auth_uri": "https://accounts.google.com/o/oauth2/auth", "token_uri": "https://oauth2.googleapis.com/token", "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs", "client_x509_cert_url": "YOUR_CERT_URL" }' customer_id: 'YOUR_CUSTOMER_ID' endpoint: malachiteingestion-pa.googleapis.com log_type: 'CITRIX_STOREFRONT' override_log_type: false raw_log_field: body service: pipelines: logs/storefront: receivers: - windowseventlog/storefront_application processors: - batch exporters: - chronicle/storefront
Configuration parameters
Replace the following placeholders with your actual values:
Exporter configuration:
YOUR_PROJECT_ID: The project ID from your ingestion authentication fileYOUR_PRIVATE_KEY_ID: The private key ID from your ingestion authentication fileYOUR_PRIVATE_KEY: The private key from your ingestion authentication file (ensure proper escaping of newlines)YOUR_CLIENT_EMAIL: The client email from your ingestion authentication fileYOUR_CLIENT_ID: The client ID from your ingestion authentication fileYOUR_CERT_URL: The client x509 certificate URL from your ingestion authentication fileYOUR_CUSTOMER_ID: Your Google SecOps customer ID
Regional endpoint configuration:
- For US region, use:
malachiteingestion-pa.googleapis.com - For Europe region, use:
europe-malachiteingestion-pa.googleapis.com - For Asia Southeast region, use:
asia-southeast1-malachiteingestion-pa.googleapis.com - See Regional Endpoints for the complete list
- For US region, use:
Example:
exporters: chronicle/storefront: compression: gzip creds_file_path: 'C:\Program Files\observIQ OpenTelemetry Collector\ingestion-auth.json' customer_id: 'YOUR_CUSTOMER_ID' endpoint: malachiteingestion-pa.googleapis.com log_type: 'CITRIX_STOREFRONT' override_log_type: false raw_log_field: body
Save the configuration file
- After editing, save the file:
- Click File > Save
- Close Notepad
Restart the Bindplane agent to apply the changes
To restart the Bindplane agent in Windows:
Choose one of the following options:
- Command Prompt or PowerShell as administrator:
net stop observiq-otel-collector && net start observiq-otel-collector- Services console:
- Press
Win+R, typeservices.msc, and press Enter. - Locate observIQ OpenTelemetry Collector.
- Right-click and select Restart.
- Press
Verify the service is running:
sc query observiq-otel-collectorCheck logs for errors:
type "C:\Program Files\observIQ OpenTelemetry Collector\log\collector.log"
Configure Citrix StoreFront event logging
By default, StoreFront 2311 and later versions log messages of level Error, Warning, and Info. For earlier versions (2308 and below), only Error-level messages are logged by default.
Enable verbose logging (optional)
To increase the logging detail for troubleshooting purposes:
- Sign in to the StoreFront server with local administrator privileges.
- Open PowerShell as an administrator.
Run the following command to enable verbose logging for all services:
Set-STFDiagnostics -All -TraceLevel "Verbose" -confirm:$FalseAfter troubleshooting, revert the logging level to default:
Set-STFDiagnostics -All -TraceLevel "Info" -confirm:$False
Verify Windows Event Log events
- Press
Win+R, typeeventvwr.msc, and press Enter to open Event Viewer. - Navigate to Application and Services Logs > Citrix Delivery Services.
- Verify that events are being logged for authentication, stores, and Receiver for Web sites.
- Navigate to Windows Logs > Application.
- Filter events by source names starting with Citrix to verify application-level events are being generated.
Configure event log throttling (optional)
StoreFront supports event log throttling to limit the number of duplicate events. To configure throttling:
- Navigate to the StoreFront service configuration directories on the server:
- Authentication service:
C:\inetpub\wwwroot\Citrix\Authentication - Store:
C:\inetpub\wwwroot\Citrix\<storename> - Receiver for Web site:
C:\inetpub\wwwroot\Citrix\<storename>\Web
- Authentication service:
- Open the
web.configfile in each directory using a text editor. Locate the
loggerelement and configure the throttling parameters:<logger duplicateInterval="00:01:00" duplicateLimit="10">duplicateInterval: The time period (hours:minutes:seconds) over which duplicate log entries are monitoredduplicateLimit: The number of duplicate entries that must be logged within the interval to trigger throttling
Save the configuration files.
For more information, see the Citrix StoreFront log files documentation.
UDM mapping table
| Log Field | UDM Mapping | Logic |
|---|---|---|
OpcodeValue_label |
additional.fields |
Merged |
Opcode_label |
additional.fields |
Merged |
ThreadID_label |
additional.fields |
Merged |
X-Citrix-Via_label |
additional.fields |
Merged |
XCitrixGateway_label |
additional.fields |
Merged |
keyword_label |
additional.fields |
Merged |
_vulns |
extensions.vulns.vulnerabilities |
Merged |
_intermediary |
intermediary |
Merged |
_intermediary_controller |
intermediary |
Merged |
_intermediary_hypervisor |
intermediary |
Merged |
_intermediary_storefront |
intermediary |
Merged |
description |
metadata.description |
Directly mapped |
EventTime |
metadata.event_timestamp |
Parsed as RFC3339 |
Machine.CreatedDate |
metadata.event_timestamp |
Parsed as RFC3339 |
Machine.LastDeregisteredDate |
metadata.event_timestamp |
Parsed as RFC3339 |
Machine.ModifiedDate |
metadata.event_timestamp |
Parsed as RFC3339 |
Machine.PoweredOnDate |
metadata.event_timestamp |
Parsed as RFC3339 |
Machine.RegistrationStateChangeDate |
metadata.event_timestamp |
Parsed as RFC3339 |
Session.EndDate |
metadata.event_timestamp |
Parsed as RFC3339 |
Session.StartDate |
metadata.event_timestamp |
Parsed as RFC3339 |
event_date |
metadata.event_timestamp |
Parsed as RFC3339 |
has_principal |
metadata.event_type |
Mapped: true → NETWORK_CONNECTION, true → STATUS_UPDATE |
EventID |
metadata.product_event_type |
Directly mapped |
RecordNumber |
metadata.product_log_id |
Directly mapped |
Machine.AgentVersion |
metadata.product_version |
Renamed/mapped |
_network |
network |
Renamed/mapped |
_principal |
principal |
Renamed/mapped |
Channel_label |
security_result.about.resource.attribute.labels |
Merged |
severity |
security_result.severity |
Mapped: (?i)Info → INFORMATIONAL, (?i)Error → ERROR, (?i)Warning → MEDIUM |
SeverityValue |
security_result.severity_details |
Directly mapped |
Connection.ConnectedViaHostName |
src.hostname |
Directly mapped |
_target |
target |
Renamed/mapped |
| N/A | extensions.auth.auth_details |
Constant: ACTIVE |
| N/A | extensions.auth.type |
Constant: MACHINE |
| N/A | metadata.event_type |
Constant: GENERIC_EVENT |
| N/A | metadata.product_name |
Constant: Monitor Service OData |
| N/A | metadata.vendor_name |
Constant: Citrix |
| N/A | security_result.severity |
Constant: INFORMATIONAL |
Need more help? Get answers from Community members and Google SecOps professionals.