Logstream overview

Logstream is a custom framework used to efficiently transfer the log data from Citrix ADC instances to Citrix Application Delivery Management (ADM) and NetScaler Insight Center. Logstream data is generated by the ADC Packet Engines and is received by NSULFD process running on Citrix ADM and NetScaler Insight Center.

The only production consumers of Logstream data are the AFdecoder process running on Citrix ADM, which is used to enable the various insight reports (Web, HDX, TCP, and so on). Logstream collects flow and user-session level information valuable for application performance monitoring, analytics, and business intelligence applications. It also collects webpage performance data and database information. Logstream defines new Information Elements to represent application-level information, webpage performance data, and database information.

Using TCP as the transport protocol, Logstream transmits the collected data, called flow records, to one or more IPv4 collectors (Citrix ADM). The collectors aggregate the flow records and generate real-time or historical reports. Similar to AppFlow, Logstream provides visibility at the transaction level for HTTP, SSL, TCP, and SSL_TCP flows.

Logstream uses actions and policies to send records for a selected flow to specific set of collectors.

An action specifies which set of collectors receive the Logstream records.

Policies, which are based on Advanced expressions can be configured to select flows for which flow records will be sent to the collectors specified by the associated action.

Unlike IPFIX (AppFlow), while using Logstream for HTTP or TCP transactions, Logstream, instead of sending multiple records (templates) per transaction, only one record is sent with Logstream. This removes collection and assembling of records logic for insights thus improving the response time, and the bandwidth required to transmit flow records to the, and improves performance of Citrix ADC instances and Citrix ADM.

Logstream uses string table approach to send the new data strings of the entities (server, client, IP address and so on) for the first time, and refer to them for the subsequent transactions that refer to the same entity that is repetitive while sending the log records which saves a lot of bandwidth on Citrix ADM.

For example, if a server has 2 million hits during a duration of one hour, when the first transaction is sent on Citrix ADM, the server details are indexed in a string, and each of the subsequent transaction record points to the string instead of sending the server details on each transaction record.

Currently, enabling Logstream on the virtual servers configured Citrix ADC instances is supported from both Citrix ADC instances and Citrix ADM.

To use Logstream as the communication mode while enabling analytics on Citrix ADM:

  1. In a supported web browser, type the IP address of the Citrix ADM (for example,

  2. In User Name and Password, enter the administrator credentials.

  3. Navigate to Networks > Instances, and select the Citrix ADC instance you want to enable analytics.

  4. From the Select Action list, select Configure Analytics.

  5. Select the virtual servers, and click Enable AppFlow.

  6. In the Enable AppFlow, select or enter the following:

    • For selecting the transport mode as Logstream, select the Logstream radio button.

    • In the Enable AppFlow field, type true.

    • Based on the analytics you want to enable, select Security Insight or Web Insight, or both.


    For HDX Insight and Gateway Insight, while clicking Enable AppFlow, you need select VPN virtual server configured on your Citrix ADC instance, and select ICA or HTTP check boxes accordingly.

The following table describes the features of Citrix ADM that supports Logstream as the transport mode:

Feature IPFIX Logstream
Web Insight
Security Insight
Gateway Insight
HDX Insight
SSL Insight Not supported
CR Insight
IP Reputation
Client Side Measurement

Analytics support for admin partitions [IPFIX]

When you create admin partitions on your managed instances, you might also want to view analytics reports on Citrix ADM for each admin partition separately.

Earlier, Citrix ADM displayed consolidated analytics reports based on the IP address of the instances. Citrix ADM supports IPFIX as default transport mode while configuring AppFlow on virtual servers. You can now enable analytics on individual admin partitions by configuring SNIP for each individual partition.

A few salient points to note are as follows:

  • Analytics reports are displayed for the traffic processed by each individual partition.

  • Instance-level Web Insight reports display the IP address as NSIP [partition name].
  • Partition-level analytics reports are supported only for Web Insight reports.