Thanks for your response and sorry for a delayed response as my testing was in prgress which is completed now. Yes sure let me summarize my system setup (test bed) . The system initially deployed on CentOS6.8 using ulogd2, conntrack-tools, libnet libraries, rsyslog and its front end Log Analyzer.
I have some findings on my test setup. There were lost of unwanted logs (disk space as a cost) in the conntrack tables but our interest is only src-nat events to trace back a malicious user. Also the conntrack event does not contain year info (see below example Day and time is there but not the year). During my research I came across another package by Mr. F B Brokken called natlog and available as precompiled Debian packages as well as sources.
Well my limitation is I dont have programming background on compiling C++ sources on CentOS which requires C++14 or above compiler as per Mr. Brokken. So I used Debain OS instead to test what it offers and how it works. natlog uses conntrack -E output to extract session event to summarize it and send to either a log file or syslog facility. It gives src-nat event start time end time of each session in raw time (epoch time). The author of natlog is also reachable via email but he also does not have any experience on compiling sources on CenOS. Please see natlog ouput format:
natlog (clean output of src-nat only) with precise timestamp as unix time:
Jan 22 08:23:25 debian NATLOG: from 1485091279:235686 until 1485091405:832021: t
cp 192.168.2.4:45210 (via: 192.168.1.109:45210) to 22.214.171.124:80
Ulogd2 output (Missing Year information):
Mar 11 15:55:59 wc01 ulogd: [NEW] ORIG: SRC=126.96.36.199 DST=192.168.1.3 PROTO=TCP SPT=20283 DPT=5358 PKTS=0 BYTES=0 , REPLY: SRC=192.168.1.3 DST=188.8.131.52 PROTO=TCP SPT=5358 DPT=20283 PKTS=0 BYTES=0
This is what i have done so far. The object is to track src-nat events if this is achievable using some other way like piping conntrack -E output to syslog or a file can serve the purpose.
Please share your thoughts on it.