I can speak to the use of a Traffic Logger and answer Question #2 and #3.
Traffic Log Feature:
We have a great Out of the Box feature for creating a Traffic Log. You basically choose this option as a Category under the Filters section of the Log Sink Properties dialogue window when you choose to Create a new log (from originally choosing Tasks > Manage Log/Audit Sinks). You then have the ability to set the content captured by this log in a Cluster-Wide property named trafficlogger.detail.
Steps:
1. Tasks > Manage Log/Audit Sinks
2. Click Create on the right side of the window
3. Name the log accordingly, and check the Enabled checkbox
4. Add description to the log
5. Set the Type to File or Syslog, depending on your desire
6. Choose Severity Threshold as Info, unless you are familiar with our logging levels and want to change. Most events will happen from Info - Warning, so recommend to keep at Info
7. In the Filters section, click Add, and choose Traffic Log under the first filter dropdown called Category
8. Click on the File Settings tab at the top of the window, and choose values accordingly
9. Click on the Syslog Settings tab if applicable and choose desired settings. You can close this window as the log has been created
10. At the top of the Policy Manager go to Tasks > Manage Cluster-Wide Properties
11. Click Add on the right hand side of the window
12. Click the Key dropdown menu and scroll to the bottom to find trafficlogger.detail
13. In the Value section, add the context variables and format you would like to log them in
a) Ex: RemoteIP:${request.tcp.remoteIP}|NodeIP:${ssgnode.ip}|Time:${request.time}|Method:${request.http.method}|URL:${request.url}|Status:${response.http.status}|User:${request.username}|ClientID:${request.clientid}
b) You can reference any variable to your heart's content. Just note that any variables created w/ a Set Context Variable assertion in a policy will be a localized variable and may not apply to policies; we reccomend only using default context variables such as ones in the above example.
14. You click OK to close this window as the Traffic Log has been fully set up. Note that at any time you can edit this Cluster-Wide property to have an immediate effect on the log
Questions:
2. Will I be able to configure traffic log as a syslog and send to external log management tools using UDP or TCP?
Yes in the Log properties you can do:
a) Create Traffic Log locally only
b) Create Traffic Log via Syslog only
c) Create two logs: Local Traffic Log and Syslog Traffic log
3. Is it a better approach to use traffic logger instead of SSG logs in production?
From my experience, clients often use both/multiple logs. They have ssg as a catch-all log and then opt to create specific logs for certain circumstances, in your case, a separate Traffic Log.