For basic traffic I log via
ntpq -c iostats which gives packes in/out. I also run
ntpq -c rv -c peers -n and parse that for various other bits of how NTP is operating. Pass that into your favorite RRD graphing program…
When I want to log NTP traffic I do it via iptables / rsyslog / mysql…
Basically iptables will output NTP specific traffic prepended with a certain tag.
Then rsyslog looks for that tag and redirects it to a UDP socket.
The socket is just a basic script that parses the iptables format and inserts the relevant data into MySQL.
Then at my leisure I’ll run another script that searches all the IPs for their country via a (free) database from ip2location or maxmind (I can’t remember which, they are basically the same).