Starting with XenDesktop 7, Citrix stores the data the Desktop Director displays in a SQL database. Citrix opened up this data via a Monitor Service API that uses OData. I’m not going to go deep into the details of the API as it is fairly well documented at the eDocs site. The examples in the documentation show you how to access this data via web browser, Microsoft Excel, and LinqPad. What I want to do in this article is show you how to use PowerShell with this API.
To start out, let’s take a look at the Citrix Monitor Service schema (click to enlarge):
Suppose we want to get all sessions as well as the all the connection/disconnections to the session. The following URL will return the data we want in XML format.
Citrix acquired EMS Cortex – a cloud control panel company. This web-based control panel allows for provisioning of a multitude of resources including Microsoft Exchange, Citrix XenApp, Microsoft SharePoint, DNS, SQL, Hyper-V, and more.
Citrix announced today that they have acquired a Cloud control panel company called EMS Cortex. EMS Cortex makes a web-based cloud control panel that automates the provisioning of an array of Microsoft Products including Exchange, SharePoint, OCS, Web Hosting, SQL Server, DNS, RDS, Microsoft Dynamics CRM, and Hyper-V. The EMS Cortex control panel also automates the provisioning of Citrix XenApp applications and desktops. I am personally very excited about this news because I use Cortex in my current job at Xcentric.
What is EMS Cortex?
In a multi-tenant hosting environment, it is very important to have a strict provisioning routine to ensure consistency. EMS Cortex makes a web-based control panel to automate the provisioning process used in multi-tenant hosting environments. Cortex provisions Active Directory OUs, user accounts, groups, file shares, SharePoint sites, Citrix XenApp resources, etc. Through the use of Cortex, you no longer have to visit multiple consoles to provision users – just set up the user in Cortex and the rest is taken care of. This is good because Cortex removes the human error factor.
As I mentioned before, we use Cortex at Xcentric. Cortex is the centralized provisioning engine for our multi-tenant hosting environment. There are a lot of good things about Cortex and some things I wish I could change (I’ve already started talking with Cortex about the things I wish I could change). I’m hopeful that we, the community, will see even more Citrix-focused integration points in future releases.
How EMS Cortex Works
Cortex is a multi-tier application consisting of the following components:
SQL Database – for configuration, users, customers, auditing and reporting.
Web Services – for real time interaction with Active Directory and other hosted services.
Provisioning Engine – via Microsoft Message Queue (MSMQ), provisioning requests are dispatched to the provisioning engine.
The Cortex web application is loosely coupled with the other Cortex components. This loose coupling provides several security benefits, as the web server has no dependency on Active Directory it can essentially operate outside of the managed domain. Cortex can also manage multiple domains.
Now, the things I’m about to share are purely off the top of my head and are not necessarily the direction Citrix intends on taking this product (although I hope they do).
Virtual Machine automation – ok, I kind of cheated on this one because Cortex already integrates with Hyper-V. But this automation is solely based on System Center Microsoft Virtual Machine Manager. So, it would be cool to provision VMs for XenServer and *gasp* VMware. SCVMM is somewhat sketchy with VMware ESX and vSphere and there is currently no SCVMM integration with XenServer (although, there were some screenshots of SCVMM and XenServer at Synergy last year – not sure where that is now). So, either SCVMM will have to amp up on vendor support or Cortex will need to go native API for vendors besides Microsoft.
Cloud bursting – this one goes along with the Virtual Machine automation. Citrix has been working with Amazon Web Services, SoftLayer, and even has their Citrix Cloud Center (C3). So, it would be cool to see some hooks built in for platforms like these. Imagine being able to provision an tenant in one of the vendor clouds instead of provisioning local resources.
Access Gateway Policy provisioning – Cortex provides a lot of self-service functionality for tenants. It would be cool to give tenants the ability to define Access Gateway policies tailored to their own needs without the help of a system administrator.
XenDesktop integration – currently, Cortex only supports hosted apps and desktops via XenApp. It would be nice to see integration with XenDesktop.
PowerShell – the current API for Cortex is a mixture of web services and a somewhat proprietary API for the MSMQ. It would be cool to see some PowerShell cmdlets to interface with the provisioning lifecycle.
Workflow Studio – Citrix Workflow Studio is all about infrastructure automation/orchestration. Wouldn’t it be cool if Workflow Studio has activities to create a user that utilized the Cortex provisioning engine? Workflow Studio already has an activity to create Active Directory users, but imagine an activity that used Cortex to create a user instead – thus provisioning all the other “stuff” like Exchange, SharePoint, file system, website access, etc. as well. That would be cool.
Storage provisioning – one piece that we still have to provision manually at Xcentric is dedicated storage for each tenant. It would be cool to see some kind of storage provisioning system – maybe pull in the StorageLink group?
Single tenant support – For the near term, the Cortex Cloud Control Panel will be offered as a standalone product on a subscription basis, as it was prior to the acquisition. Cortex is great for multi-tenant environments, but it is also very helpful in a single tenant environment. So, it would be cool to see Cortex rolled into one of the editions of XenDesktop or XenApp.
Postini integration – this is another feature that currently isn’t offered by Cortex. Granted, Google gives you a cool utility to sync users with LDAP directories, but it would be even cooler if Cortex worked with Postini API’s directly.
I could keep making this list for a while. Needless to say, I’m very excited about this acquisition.
This is the fifth part in a series on Citrix XenApp Configuration Logging. This part will focus on the database schema, the information contained in the database, and how to decode certain parts of the data.
This is the fifth part in the Citrix Configuration Logging Series. In part 1, we discussed what Citrix Configuration Logging was. In part 2, we discussed how to prepare the database to log configuration changes. In part 3, we discussed how to set up the Citrix XenApp farm for Configuration Logging, in part 4, we looked at the “out of the box” reporting tools. In this part, we will look at the back end database schema.
Schema on the Surface
Here is what the database schema looks like on the surface.
Just 3 tables – looks pretty easy… But, if you look at some of the data in those tables, things become less obvious. Let’s break each table down:
CtxLog_AdminTask_LogEntry – Every change to the XenApp farms creates a new row here.
Unique Identifier (primary key)
I honestly don’t know why this is here. It seems like it might be some kind of farm identifier, but you can only have one farm per database.
This holds events that happen on the log (database) as a whole. This is a numeric value that corresponds to an enumeration. Possible values are:
Date/Time the change occurred.
The user that made the change.
The SID of the user that made the change.
Hostname of server that joins the farm.
SID of a server that joins the farm.
IMA server used to make the change – remember that every change has to go through IMA.
SID of the host HostName above.
Status of the change. This is a numeric value that corresponds to an enumeration. Possible values are:
0 = Success
1 = Neither success nor failure
2 = Failure
CtxLog_AdminTask_Object – Object(s) changed.
Unique Identifier (primary key)
Again – don’t know why this is here.
Foreign key to CtxLog_AdminTask_LogEntry table.
Another one I’m not sure about.
Enumeration – type of task performed:
0 = None
1 = Created
2 = Modified
3 = Removed
0 = Application
1 = Application Isolation Environment (AIE)
2 = AIE Application
4 = Farm
5 = File Type Association
6 = Folder
7 = Installation Manager Application
8 = Printer
9 = Server
10 = Server Group
11 = User
12 = Policy
13 = Monitoring Profile
14 = Load Manager
15 = Virtual IP Farm Range
16 = Virtual IP Server Range
17 = Print Driver
18 = Database
19 = Zone
Name of the object changed.
Internal object ID. More specifically, this value comes from the object’s ID property in MFCOM.
XML field. Holds before and after values.
ID of field in language specific resource file.
CtxLog_AdminTask_ReferenceList – Some objects reference other objects. For instance, a published application can reference many server objects. This table keeps track of changes to referenced objects.
Unique Identifier (primary key)
Foreign key to CtxLog_AdminTask_Object table.
Same as parent table.
Tab delimited list of the names of the original referenced objects.
Tab delimited list of internal object IDs of the original referenced objects.
Tab delimited list of the names of the added referenced objects.
Tab delimited list of internal object IDs of the added referenced objects.
Tab delimited list of the names of the removed referenced objects.
Resource IDs of added objects.
Resource IDs of removed objects.
As stated above, the PropertyList field in the CtxLog_AdminTask_Object table is a XML field. This field maps out the before and after values of each property of an object after a change. Here is an excerpt of what a PropertyList field looks like:
Notice that each property has a value where original=”0” or original=”1”. If the two values are different, that is a change. Original=”1” is the before value and original=”0” is the after value (that seems backwards to me). So, from the excerpt above, we can see that “Notepad” was renamed to “Notepad – test”.
Several of the fields have “ResID” somewhere in their name. This is short for Resource ID. The values in these fields are numeric and correspond to a language specific Resource File. For instance, the nameresid in the excerpt above is 290042. This maps to “Display Name” in the en-US resource file; however, 290042 maps to “Anzeigename” in the de-DE resource file. The resource file(s) used to decode the numbers can be found on the computer running the AMC at:
The English resources are located in ConfigurationLoggingReport.dll. Other localized languages can be found in a subdirectory of the path given above. For instance, the German language resources would be in:
This concludes our “behind the scenes” look at the database schema. Now that we know exactly what information is stored in the database and how to decipher the data, we will look at how to do some custom reporting in the final post in this series.
This is the third part in a series on Citrix XenApp Configuration Logging. This part will show you how to configure your Citrix XenApp farm for Configuration Logging, what all the settings mean, what happens when you configure your farm for logging, what happens when things go wrong, and more.
This is the third part in the Citrix Configuration Logging Series. In part 1, we discussed what Citrix Configuration Logging was. In part 2, we discussed how to prepare the database to log configuration changes. In this part, we will discuss how to set up the Citrix XenApp farm to use the database and what happens under the covers when we do this.
Configuring the Citrix XenApp Farm to use the Database
You use the Access Management Console to configure the XenApp farm for Configuration Logging. Configuration Logging is a farm setting, so once you open the Access Management Console, simply right-click your farm name and select “Properties”. Select “Configuration Logging” from the Farm-wide properties.
Now, we need to point our farm to the database we created before. To do this, click the “Configure Database…” button to start the database configuration wizard.
The screen shot above is pretty self-explanatory, but here are a couple of tips:
Even though there is a drop down next to the “Server name” box, the discovery does not always work. I suggest just typing in the database server name or IP address.
Be sure to specify server\instance if you are not using the default database instance.
If using Windows integrated security, type domain\username in the “User name” field
Keep in mind that the username and password is saved in the data store. So, be sure that the password does not expire, or remember to change this when the password does expire.
Discovery does not work well with the database name on the next step either. Again, you will most likely have to type in the database name.
The screen shot above shows a lot of settings, but there is not a lot of explanation of what these settings do. Remember, Configuration Logging is built on top of ADO.NET. In order to make sense of these settings, you can look at ADO.NET properties. So, here ya go:
Connection time-out (seconds) – amount of time to wait for a command to execute. If a database write command cannot execute in 20 seconds, you’ve got a problem.
Packet size (bytes) – the size of the network packet. 8192 is the default. This value can be anywhere from 512 to 32767.
Use encryption – more on this in a minute…
Connection pooling enabled – connection pooling is just like session sharing. Building up and tearing down database connections can be an expensive process. Connection pooling allows a connection to stay up for an amount of time before closing just in case another database request comes in. If another database request comes in before the time out, the request will use the same connection.
Minimum pool size – specifies the minimum number of connections to maintain in a pool. If you set this number to 3, for example, ADO.NET would create 3 connections the first time you connect to the server. Zero is the ADO.NET default.
Maximum pool size – maximum number of connections in a pool. 100 is the ADO.NET default.
Connection lifetime (seconds) – specifies the maximum age of connections. If a connection has been open for more than this number of seconds when you call its Close() or Dispose() method, it will be destroyed rather than being returned to the pool. Zero is the ADO.NET default, which means that connections are kept in the pool regardless of age.
Connection reset – specifies whether the database connection is reset when being removed from the pool. True is the ADO.NET default.
Enlist – specifies whether to enlist this connection into a current transaction context of the creation thread. In other words, if this is set to true and the database server is doing some transactions, let the connection use the already generated transaction. True is the ADO.NET default.
Almost all of those defaults are just great. The only one you need to be careful about is the “Use encryption” option. This option is set to “Yes” by default. But, in order to use Configuration Logging encryption, you must be using IMA encryption. If you are not using IMA encryption, you cannot use Configuration Logging encryption. You will get this nasty undescriptive error when you test the connection if there is a mismatch:
Now that we have the farm configured to point to the database, we have some options on how to log changes. Remember this screen shot?
This is pretty easy, there are only 3 checkboxes:
Log administrative tasks to logging database – this is what tells the IMA service to use the CitrixLogServer.dll hook to log changes explained in part 1.
Allow changes to the farm when database is disconnected – this is self explanatory.
Require administrators to enter database credentials before clearing the log – “the log” referred to in this option is all the data in the database. An administrator can clear the log by opening the AMC, right-clicking on the farm name – > All Tasks –> Clear configuration log.
If you do not allow changes to be made to your farm and your Configuration Logging database is offline, you will get the following error message when trying to make a change:
Wow – that error message is actually pretty descriptive!
Note – even if you do not allow changes to be made to your Citrix XenApp farm when the Configuration Logging database cannot be reached, you can still change which database your farm uses. That means if you are trying to make a change and your database took a dive and it doesn’t look like it will be back up anytime soon, you can always change which database logs the changes and carry on. Of course, changing which database logs changes gets logged <- say that 5 times fast…
Adjusting Database Permissions
As you may recall, when we created the data base user in part 2, we had to make sure the database user belonged to the db_owner role. This is due to the fact when the XenApp farm connects to the database, the schema is checked. If the schema does not exit, it is created – which requires db_owner rights. So, after that first connection, you can dial back the permissions. Here are the minimum operating permissions:
Configuration Logging Task
Database permissions needed
To create log entries in the database tables
INSERT for the database tables, EXECUTE for the stored procedures, and SELECT for sysobjects and sysusers (SQL Server) or sys.all_objects (Oracle)
(Oracle also requires SELECT for sequence objects and the create session system privilege)
To clear the log
DELETE/INSERT for the database tables, EXECUTE for the GetFarmData stored procedure, and SELECT for sysobjects and sysusers (SQL Server)
or sys.all_objects (Oracle) (Oracle also requires SELECT for sequence objects and the create session system privilege)
To create a report
EXECUTE for the Citrix Configuration Logging
stored procedures SELECT for sysobjects and sysusers (SQL Server) or sys.all_objects (Oracle)
(Oracle also requires the create session system
Delegated administration is supported to an extent. It is basically an on or off thing. It is a good idea to make sure administrators have to enter credentials to clear the log as well.
This is the second part in a series on Citrix XenApp Configuration Logging. When Citrix XenApp Configuration Logging is enabled, all changes are written to a back end database. In this part, we will look at the details of how to create the database, logins, and users.
All Citrix XenApp farm changes are written to a back end database. The back end database can be:
Microsoft SQL 2000 and above (Microsoft SQL Express works too)
Oracle 9.2 or 10.2
We will be using Microsoft SQL Server 2005 for this example.
Creating the Database
The first step in setting up the back end database for configuration logging is to create the database and user account(s). This is pretty easy. Just open up Microsoft SQL Server Management Studio, right-click Databases, and select New Database… Give the database a name and accept the defaults.
Creating the Database Login(s)
The next step is to set up the database authentication. In SQL Server Management Studio, expand Security, right-click Logins, and select New Login…
Citrix XenApp Configuration Logging supports both SQL Server authentication and Windows authentication.
If using SQL Server authentication, you can make up any login name and password you want. Keep in mind though that Citrix Configuration Logging does not support blank passwords.
If using Windows authentication, you can type a user name or group name in the form of domain\username or domain\group in the Login name field. You can also select the “Search…” button to browse Active Directory for users or groups.
Tip: by default, only objects of type “User or Built-in security principal” are searched when using the “Search…” button. You will need to add Groups to the search by clicking the “Object Types…” button.
In either case (using Windows or SQL Server authentication), be sure to change the Default database to the database created earlier.
Mapping the Login to a Database User
Even though you have created a database and a login, the two entities are not yet linked. In other words, the login you created cannot log on to the database. That is because a login is not equal to a database user. The next step in the process is to map the created login to a database user and assign appropriate rights.
In Microsoft SQL Server Management Studio, expand the Databases node, expand the database you created above, expand the Security node, right-click Users, and select New User…
Type a name in the Username field and type (or select) the login you created earlier in the Login name field. The name you type in the User name field does not have to match the name in the Login name field, but I usually keep them the same for simplicity.
You will also have to tick the db_owner box under the Role Members section for now. This is because the first time the Citrix XenApp farm tries to connect to the Configuration Logging database, the database schema will get created. After the schema gets created, you can dial back the permissions. I’ll explain the minimum permissions necessary in the next article.
This is the first part in a series on Citrix XenApp Configuration Logging. Citrix XenApp Configuration Logging helps keep track of changes made to your server farm. This feature can tell you what changes were made to your server farm, when they were made, and who made them. Part 1 in this series will further define where changes are logged and how the changes are logged.
I have presented on this topic in the past at BriForum and I wanted to share more about Citrix XenApp Configuration Logging here. This will be a multi-part series that inspects each aspect of Citrix Configuration Logging and some creative ways of extending Citrix Configuration Logging. So, let’s get started…
What is Citrix Configuration Logging?
According to the Citrix XenApp Administrator’s guide, “the Configuration Logging feature allows you to keep track of administrative changes made to your server farm environment. By generating the reports that this feature makes available, you can determine what changes were made to your server farm, when they were made, and which administrators made them. This is especially useful when multiple administrators are modifying the configuration of your server farm. It also facilitates the identification and, if necessary, reversion of administrative changes that may be causing problems for the server farm.” (emphasis added)
When I worked for Citrix, we had a load evaluator that had no available login times. If a server was acting up, we could apply this “unavailable” load evaluator to it and figure out what was going on. Oftentimes, we would discover that the “unavailable” load evaluator was applied to a new server and not know who did it or why they did it. So, we would have to resort to sending out an email asking why this server was assigned to the load evaluator. Now, Citrix XenApp Configuration Logging tells you who did what and when. That should be enough information to find out why.
Where are Changes Logged?
Changes that you make to the Citrix XenApp farm are logged to a database. The back end database can be:
Microsoft SQL 2000 or Microsoft SQL 2005 (Microsoft SQL Express works too)
Oracle 9.2 or 10.2
We will explore the details of the database schema in depth later on.
How are Changes Logged?
There are several ways to make changes to a Citrix XenApp Farm:
In order to facilitate logging changes made by any of these methods, Citrix introduced an IMA hook called CitrixLogServer.dll. As you know, any change made to the data store has to go through IMA first. So, introducing an IMA hook makes sense.
Here are the facts about CitrixLogServer.dll:
Located in %ProgramFiles%\Citrix\System32
it is a Microsoft .Net assembly
it uses ADO.NET to write changes to the database. Once a connection is made to the database, it will automatically disconnect after 5 minutes of inactivity.
Uses a XSD schema that is optimized for writes
Citrix XenApp Configuration Logging Architecture
When a change is submitted to IMA, the change is written via a transaction to the configuration logging database and data store. It is possible to require all changes be written to the configuration logging database before they are allowed to be written to the data store. This ensures all changes are logged. Since the change is written via a transaction, a failure writing to the logging database or data store rolls back the transaction and no change is made or logged.
Bonus tip: if you clone servers in your Citrix XenApp farm and cannot join the cloned server to the farm, you may have to disable configuration logging. Once the server joins the farm, you can re-enable configuration logging.