How to Enable Compact Logging for CGNAT in NetScaler?

CGNAT has become a necessity for service providers due to depletion of IPv4 address and surge in usage of IP based devices like Smart phones, Laptops, PCs, IP TVs and many more. With this surge in traffic in service provider network it becomes extremely difficult to log each session that goes through the network. Also they cannot evade this logging because of government regulations to keep track of usage of network resources for tracking and identifying user activities if necessary by the law. This makes service providers to store and process huge amount of CGNAT logs in their repository.

User-added image

One would ask why service providers can’t go for Deterministic CGNAT where logging is not necessary. But there are cases where service providers are asked to log NAT translation by government to get specific details. In case of Deterministic NAT, logging happens at the time of configuration and is stored in local device. These devices might overwrite the logs when logging goes beyond a specific duration and thus it creates uncertainty.

User-added image

What is compact logging in NetScaler?

Compact format is the technique of reducing the amount of log by using a notational change involving short operational codes for the events and protocol names. CGNAT logging contains information like,

  • NSIP address of the NetScaler ADC
  • Time stamp
  • Entry type (MAPPING)
  • Subscriber’s IP address, port, and traffic domain ID
  • NAT IP address and port
  • Protocol name
  • Destination IP address, port, and traffic domain ID might be present, depending on these conditions:
    1. Destination IP address is not logged for Endpoint-Independent mapping.
    2. Destination IP address is logged for Address-Dependent mapping.
    3. Destination IP address and port are logged for Address-Port-Dependent mapping.

These information are logged in CGNAT logs in full form, i.e Address-Port-Dependent mapping is logged as “LSN_ADDRPORT_MAPPING”. In case of compact logging, it will be logged as “A&PDMC” which reduces the space for storing the log. Some examples of default and compact logging below, where we can see considerable difference in log size can be seen below,

Default Logging Compact Logging
02/02/2016:01:13:01 GMT Informational 0- PPE-2 : default LSN LSN_ADDRPORT_MAPPING 85 0 : A&PDM CREATED Client IP:Port:TD 1.1.1.1:6500:0, NatIP:NatPort 8.8.8.8:47902, Destination IP:Port:TD 2.2.2.2:80:0, Protocol: TCP (217 bytes) 02/02/2016:01:14:57 GMT Info 0-PE2:default LSN 87 0:A&PDMC|C-1.1.1.1:6500:0|N- 8.8.8.9:51066|D-2.2.2.2:80:0|T ( 109 bytes)
02/02/2016:01:39:11 GMT Informational 0- PPE-0 : default LSN LSN_DETERMINISTIC 622 0 : Dtrstc ALLOC Client 1.1.1.255, NatInfo 8.8.8.152:2560 to 3071 (149 bytes) 02/02/2016:01:43:54 GMT Info 0-PE0:default LSN 1646 0:DTRA|C-1.1.1.255|N- 8.8.8.152:2560-3071 (94 bytes)
02/02/2016:13:22:56 GMT Informational 0- PPE-2 : default LSN LSN_PORTBLOCK 117 0 : Portblock ALLOC Client 1.1.1.1, NatInfo 8.8.8.152:1024 to 1535, Proto:non-TCP (162 bytes) 02/02/2016:13:20:32 GMT Info 0-PE2:default LSN 115 0:PBA|C-1.1.1.1|N-8.8.8.151:1024- 1535|NT (91 bytes)

It is found out that compact logging reduces the logging space required on an average by 44%. Apart from our compact logging solution, NetScaler also supports syslog over TCP to provide reliable transport of logs to log servers. To know more about syslog over TCP refer – http://support.citrix.com/article/CTX205824. NetScaler is also capable of load balancing the log servers.

Note: Compact logging can be enabled for NAT44, NAT64 and DS-Lite solutions.

Related:

Leave a Reply