dissect.target icon indicating copy to clipboard operation
dissect.target copied to clipboard
verified publisher icon fox-it

Add Citrix NetScaler techsupport collector as Target

Open lhaagsma opened this issue 4 months ago • 2 comments

Lets consider creating Dissect support for Citrix NetScaler techsupport collector packages (tar.gz) and parse them as Targets.

Generates a gzipped tar archive of system configuration data and statistics. To minimize archive file size newnslog collection is restricted to 500mb, 6 files, or 7 days, whichever occurs first. If the files under /var/log/ grow bigger, the entire file copy is avoided and few lines from those log files are copied. If older data is needed, it may require manual collection.

Link: https://developer-docs.netscaler.com/en-us/adc-command-reference-int/current-release/utility/techsupport.html Alternative link: https://support.citrix.com/support-home/kbsearch/article?articleNumber=CTX222958

The collector contains artifacts similar to an extend as Acquire, but the added benefit is that an organization might have made them historically.

Contents:

/etc/
/nsconfig/
/shell/
/var/

lhaagsma avatar Aug 21 '25 08:08 lhaagsma

collector_P_10.164.0.3_22Oct2025_11_31.tar.gz

Attached is a techsupport package that can be checked in and used for testing:

> show techsupport
 
showtechsupport data collector tool - $Revision$!
NetScaler version 14.1
Creating /var/tmp/support ....
The NS IP of this box is 10.164.0.3
This is not HA configuration
Running shell commands ....
Running CLI show commands ....
Done
Collecting ns running configuration....
Collecting running gslb configuration....
Running CLI stat commands ....
Done
Running vtysh commands ....
Copying ZebOS_dyn_route.conf file ....
Copying core files from /var/core ....
Copying core files from /var/crash ....
Copying GSLB location database files ....
Copying GSLB auto sync log files ....
Copying selected configuration files ....
Copying newnslog files ....
Copying Safenet Gateway log files ....
Copying WAF db files ....
NOT Collected !! /var/log/gcp/google-accounts.log.0 is not present OR its size exceeded 500KB
NOT Collected !! /var/log/gcp/google-accounts.log.1 is not present OR its size exceeded 500KB
NOT Collected !! /var/log/gcp/google-accounts.log.2 is not present OR its size exceeded 500KB
NOT Collected !! /var/log/gcp/google-accounts.log.3 is not present OR its size exceeded 500KB
NOT Collected !! /var/log/gcp/google-accounts.log.4 is not present OR its size exceeded 500KB
Collecting static metadata for VPX on GCP ....
ADC is not registered with ADM, Copying upgrade logs
Copying messages, ns.log, dmesg and other log files ....
Copying NextGen API database and configuration files.
Creating archive ....
/var/tmp/support/support.tgz  ---- points to ---> /var/tmp/support/collector_P_10.164.0.3_22Oct2025_11_31.tar.gz
 
showtechsupport script took 0 minute(s) and 36 second(s) to execute.
Done

yunzheng avatar Oct 22 '25 11:10 yunzheng

Created a PR for the loader. We should create one or multiple issues for NetScaler or NetScaler techsupport specfic artifacts that should be parsed.

lhaagsma avatar Oct 22 '25 13:10 lhaagsma