NetScaler Console service

Logstream overview

NetScaler instances generate AppFlow records and are a central point of control for all application traffic in the data center. IPFIX and Logstream are the protocols that transport these AppFlow records from NetScaler instances to NetScaler Console. For more information, see AppFlow.

  • IPFIX is an open Internet Engineering Task Force (IETF) standard defined in RFC 5101. IPFIX uses UDP protocol which is unreliable transport protocol used for data flow in one direction. Since IPFIX uses UDP protocol, adhering to IPFIX standard results in processing more resources in NetScaler Console.

  • Logstream is a Citrix-owned protocol that is used as one of the transport modes to efficiently transfer the analytics log data from NetScaler instances to NetScaler Console. Logstream uses reliable TCP protocol and requires lesser resources in processing the data.

For NetScaler between 11.1 Build 47.14 and 11.1 Build 62.8, Logstream is the default transport mode for enabling Web Insight (HTTP) and IPFIX is the only transport mode for enabling other insights. For NetScaler version starting from 12.0 to latest version, you can select either Logstream or IPFIX as the transport mode.

Note

The NetScaler Console version and build must be equal to or higher than your NetScaler version and build. For example, if you have installed NetScaler 12.1 Build 50.28/50.31, then ensure you have installed NetScaler Console 12.1 Build 50.39 or later.

Enable Logstream as Transport Mode

  1. Navigate to Infrastructure > Instances, and select the NetScaler instance you want to enable analytics.

  2. From the Select Action list, select Configure Analytics.

    Configure analytics

  3. Select the virtual servers and then click Enable Security & Analytics.

    Enable analytics

  4. On the Enable Security & Analytics window:

    1. Select the insight types (Web Insight or WAF Security Violations or Bot Security Violations)

    2. Select Logstream as Transport Mode

      Note

      For NetScaler between 11.1 Build 47.14 and 11.1 Build 62.8, Logstream is the default transport mode for enabling Web Insight (HTTP) and IPFIX is the only transport mode for enabling other insights. For NetScaler version starting from 12.0 to latest version, you can select either Logstream or IPFIX as the transport mode.

    3. The Expression is true by default

    4. Click Save Analytics

      Enable analytics

      Note

      • For admin partitions, only Web Insight is supported

      • For virtual servers such as Cache Redirection, Authentication, and GSLB, you cannot enable analytics. An error message is displayed.

The following table describes the features of NetScaler Console that supports Logstream as the transport mode:

Feature IPFIX Logstream
Web Insight
Bot Security Violations Not supported
WAF Security Violations
Gateway Insight
HDX Insight
SSL Insight Not supported
CR Insight
IP Reputation
AppFirewall
Client Side Measurement
Syslog/Auditlog
Logstream overview