Understanding Logstream

Logstream is a custom framework used to efficiently transfer the log data from Citrix NetScaler instances to NetScaler MAS and NetScaler Insight Center. Logstream data is generated by the NetScaler Packet Engines and is received by NSULFD process running on NetScaler MAS and NetScaler Insight Center.

The only production consumers of Logstream data Is the AFdecoder process running on NetScaler MAS, which is used to enable the various insight reports (Web, HDX, TCP, etc.). Logstream collects flow and user-session level information valuable for application performance monitoring, analytics, and business intelligence applications. It also collects web page performance data and database information. Logstream defines new Information Elements to represent application-level information, web page performance data, and database information.

Using TCP as the transport protocol, Logstream transmits the collected data, called flow records, to one or more IPv4 collectors (NetScaler MAS). The collectors aggregate the flow records and generate real-time or historical reports. Similar to AppFlow, Logstream provides visibility at the transaction level for HTTP, SSL, TCP, and SSL_TCP flows.

Logstream uses actions and policies to send records for a selected flow to specific set of collectors.

An action specifies which set of collectors will receive the Logstream records.

Policies, which are based on Advanced expressions can be configured to select flows for which flow records will be sent to the collectors specified by the associated action.

Unlike IPFIX (AppFlow), while using Logstream for HTTP or TCP transactions, Logstream, instead of sending multiple records (templates) per transaction, only one record is sent with Logstream. This removes collection and assembling of records logic for insights thus improving the response time, and the bandwidth required to transmit flow records to the, and improves performance of NetScaler instances and NetScaler MAS.

Logstream uses string table approach to send the new data strings of the entities (server, client, IP address etc.)  for the first time, and refer to them for the subsequent transactions that refer to the same entity that is repetitive while sending the log records which saves a lot of bandwidth on NetScaler MAS.

For example, if a server has 2 million hits during a duration of one hour, when the first transaction is sent on NetScaler MAS, the server details are indexed in a string, and each of the subsequent transaction record points to the string instead of sending the server details on each transaction record.

Currently, enabling Logstream on the virtual servers configured NetScaler instances is supported from both NetScaler instances and NetScaler MAS.

To use Logstream as the communication mode while enabling analytics on NetScaler MAS:

1. In a supported web browser, type the IP address of the NetScaler Management and Analytics System (for example,

2. In User Name and Password, enter the administrator credentials.

3. Navigate to Networks > Instances, and select the NetScaler instance you want to enable analytics.

4. From the Action drop-down, select Enable/Disable Insight.

5. Select the virtual servers, and click Enable AppFlow.

6. In the Enable AppFlow, select or enter the following

  • For selecting the transport mode as Logstream, select Logstream radio button.
  • In the Enable AppFlow field, type true.
  • Based on the analytics you want to enable, select Security Insight or Web Insight, or both.


For HDX Insight and Gateway Insight, while clicking Enable AppFlow, you need select VPN virtual server configured on your NetScaler instance, and select ICA or HTTP check boxes accordingly.

The following table describes the features of NetScaler MAS that supports Logstream as the transport mode:

Feature IPFIX Logstream
Web Insight
Security Insight
Gateway Insight
HDX Insight
SSL Insight Not supported
CR Insight
IP Reputation
Client Side Measurement

Understanding Logstream