Logstream overview

Logstream is a custom framework used to efficiently transfer the log data from Citrix ADC instances to Citrix Application Delievery Management (ADM) and NetScaler Insight Center. Logstream data is generated by the ADC Packet Engines and is received by NSULFD process running on Citrix ADM and NetScaler Insight Center.

The only production consumers of Logstream data Is the AFdecoder process running on Citrix ADM, which is used to enable the various insight reports (Web, HDX, TCP, etc.). Logstream collects flow and user-session level information valuable for application performance monitoring, analytics, and business intelligence applications. It also collects web page performance data and database information. Logstream defines new Information Elements to represent application-level information, web page performance data, and database information.

Using TCP as the transport protocol, Logstream transmits the collected data, called flow records, to one or more IPv4 collectors (in Citrix ADM). The collectors aggregate the flow records and generate real-time or historical reports. Similar to AppFlow, Logstream provides visibility at the transaction level for HTTP, SSL, TCP, and SSL_TCP flows.

Logstream uses actions and policies to send records for a selected flow to specific set of collectors.

An action specifies which set of collectors will receive the Logstream records.

Policies, which are based on Advanced expressions can be configured to select flows for which flow records will be sent to the collectors specified by the associated action.

Unlike IPFIX (AppFlow), while using Logstream for HTTP or TCP transactions, Logstream, instead of sending multiple records (templates) per transaction, only one record is sent with Logstream. This removes collection and assembling of records logic for insights thus improving the response time, and the bandwidth required to transmit flow records to the, and improves performance of ADC instances and Citrix ADM.

Logstream uses string table approach to send the new data strings of the entities (server, client, IP address etc.)  for the first time, and refer to them for the subsequent transactions that refer to the same entity that is repetitive while sending the log records which saves a lot of bandwidth on Citrix ADM.

For example, if a server has 2 million hits during a duration of one hour, when the first transaction is sent on Citrix ADM, the server details are indexed in a string, and each of the subsequent transaction record points to the string instead of sending the server details on each transaction record.

Currently, enabling Logstream on the virtual servers configured ADC instances is supported from both ADC instances and Citrix ADM.

Enabling AppFlow using Citrix ADM

  1. In a supported web browser, type the IP address of the Citrix ADM (for example,

  2. In User Name and Password, enter the administrator credentials.

  3. Navigate to Networks > Instances, and select the ADC instance you want to enable analytics.

  4. From the Action drop-down, select Configure Analytics.

  5. Select the virtual servers, and click Enable AppFlow.

  6. In the Enable AppFlow, select or enter the following:

    • For selecting the transport mode as Logstream, select Logstream radio button.

    • In the Enable AppFlow field, type true.

    • Based on the analytics you want to enable, select Security Insight or Web Insight, or both.


      Citrix ADM supports IPFIX as default transport mode while configuring AppFlow on virtual servers. From Citrix ADC 12.0 release onwards, Citrix ADM supports Logstream, and you must explicitly select Logstream, if required.

    • Click OK.

    When you configure AppFlow on multiple virtual servers at the same time, a pop-up window displays the step-by-step progress of the AppFlow configuration. The information shows the number of virtual servers being configured at the instance level. The progress information is useful when you are configuring AppFlow on a large number of virtual servers.

    localized image


    For HDX Insight and Gateway Insight, while clicking Enable AppFlow, you need to select VPN virtual server configured on your ADC instance, and select ICA or HTTP check boxes accordingly.

    While enabling AppFlow on Citrix Gateway instances, ensure that you select either ICA or TCP as a transport mode. If you select both, ICA takes precedence over TCP. Selecting HTTP along with either ICA or TCP is allowed.

The following table describes the features of Citrix ADM that supports Logstream as the transport mode:

Feature IPFIX Logstream
Web Insight
Security Insight
Gateway Insight
HDX Insight
SSL Insight Not supported
CR Insight
IP Reputation
Client Side Measurement