Where multiple administrators make modifications to a XenApp farm, Citrix recommends implementing Configuration Logging. By tracking the changes that each administrator has made to the system and correlating any subsequent issues reported, it is easy to identify any modifications that may need to be rolled back.

For example, if an administrator changes the properties of a published application at 10:00 and help desk associates escalate issues related to multiple sessions being launched by users, it would be simple to correlate that the modification impaired session sharing.

This feature is designed to support basic administrative logging for XenApp. This feature also displays information stored in the logging database via the history node.

Creating the XenApp configuration logging database

The Configuration Logging feature supports Microsoft SQL Server and Oracle databases; for information about supported versions, see CTX114501. In this post I am using Microsoft SQL Server 2008 R2 for the configuration logging database.

Open Microsoft SQL Server Management Studio

On the Databases Node and right click New Database

Enter a name for XenApp 6.5 configuration logging database and click ok.

Defining the Configuration Logging database access permissions

The first time the Configuration Logging feature is enabled; it connects to the Configuration Logging database and discovers that the database schema does not exist. XenApp then creates the database schema, tables, and stored procedures. To create a database schema, XenApp needs full access to the database either using SQL Server authentication or Windows authentication.

Citrix recommended to use Windows authentication as it’s more secure than SQL authentication.

To enable the appropriate access on the data base in SQL Server Management Studio expand the Security node and right click login and then select the New Login

Use the search button find windows domain account you wish to use for authentication to the Database.

In this instance we have created the AD account configlogging solely for the purpose of connecting to the database.

Ensure that the default database is selected as the configuration logging database and click ok.

Next we need to map the created login configlogging to a database user and assign appropriate rights.

In SQL Server Management Studio, expand the Databases node, expand the configuration logging database we created, expand the Security node, right-click Users, and select New User

Add the login configlogging account and grant dbo_owner

After the database schema is created full access will no longer be necessary.  Additional users with less permission can be created; you can read more in our product edoc’s or below in the Defining the Configuration Logging database access permissions… Continued… section.

Defining Database Permissions for Configuration Logging –http://support.citrix.com/proddocs/topic/xenapp6-w2k8-admin/ps-maintain-define-db-perms.html

Configure the Configuration Logging database connection

Now that the configuration logging database has been created we need to configure XenApp to create database schema, tables, and stored procedures.

Open up the App Centre Console, right click the farm and get the farm properties

Select the only available node configuration logging and open the Configure Database…

Choose connection type as SQL

Select your SQL server from the drop down list box, if you have trouble connecting try using the IP address of SQL server.

Check Windows integrated security

Use the account configlogging we created earlier [Domain\Account]

Specify the configuration logging database on the SQL server from the drop down list box

Disable the Use encryption option.

Test the database connection to make sure we have connectivity to the database.

Click Finish to complete the connection settings

Set the Configuration Logging properties

To enable Configuration Logging, select the Log administrative tasks to Configuration Logging database check box. If you want administrators to be able to make changes to the server farm when log entries cannot be saved to the Configuration Logging database, select the Allow changes to the farm when logging database is disconnected check box.

To prompt administrators to enter their credentials before clearing the log, select the require administrators to enter database credentials before clearing the log check box.

Running Configuration Logging Reports

Up until XenApp 5.0, the Configuration Logging was a feature that worked hand in hand with the Report Center node in the XenApp Management Console. The Report Center has been removed starting with XenApp 6. Logging reports have now moved to a new node called “History”.

To run a report right click the History Node and click Get Log. This will generate a configuration log entry of administrative tasks performed on the XenApp Farm.

The configuration log entries are displayed in chronological order, more details about each event can be found in the information panel below.

The Save Log option will let you save an existing configuration log in to a XML file.

The Set filter lets administrators specify certain criteria for reports. We can filter by date and times, administrators and specific item types.

Clear History option will clear existing configuration log entries from the console. If the require administrators to enter database credentials before clearing the log has been enabled, you will be asked for the DB credentials before the log can be cleared.

One last thing to mention in this post, you may want to restrict administrator access to the configuration logging properties at the farm level. This can be done by creating a custom admin group. Apply all the necessary permission needed but uncheck the edit configuration logging settings. The administrator will be still be able run reports through the history node but they cannot change any of the configuration logging properties.

For more detailed information about XenApp 6.5 config logging check our edocs site out:

Logging Administrative Changes to a XenApp Farm

Defining the Configuration Logging database access permissions… Continued…

As requested by one of our readers we will go into some more details about the exact permissions required for Citrix admins using the configuration logging database.

So for example in this scenario I have a Citrix admin called userone (this could also be an admin group). User one needs access to configuration logging, so here is how we go about setting it up:

Open up SQL Management studio, we need to create a new login for our Citrix admin(s) under the security node.

In the user mapping section we need  map our user account to the XenApp 6.5 configuration logging database.  Click ok

Now we need to update the permissions on all the stored procedures found under the XenApp 6.5 configuration logging database highlighted below.

Right click and the properties of the GetCounts Stored Procedure.

We need to add our Citrix admin so they have executable permissions for the stored procedure. Click the search button  to find the user and grant them execute permissions.  Click OK to finish and repeat the above steps on all stored procedures.

Configuration Logging Database Permissions

This section I quickly want to discuss the permission of the database. After the database schema is created, full access is no longer necessary we can scale back the rights for the configlogging account.

The permissions can me amended by right clicking the XenApp 6.5 configuration logging database and select properties. In the permissions section open the explicit tab.

The minimum permission need to the connect to the configuration logging database are:

Connect, Execute, Insert, Select and Update

Click okay to finish.

Posted in Citrix Blogs