Forum Discussion
NimbostratusDuplicate Syslog to multiple backend syslog servers
Some devices only can accept a single syslog location for logging. What I am trying to do is create a VIP on the F5 to listen for syslog on UDP/514 and duplicate that to multiple backend syslog servers. I am struggling to actually get the UDP::payload to be sent via the high-speed logger (HSL).
If there is a more simple way of accomplishing the overall task of duplicating syslog data to multiple syslog servers, I would love to hear it. I have tried clone pools, but that preserves the entire packet (IP header and all) which does not function as expected as the backend syslog servers will discard the packet. Pool cloning is more for an IDS scenario.
I have followed this guide as best I can and I can get the desired effect, except for the fact that the syslog payload is not forwarded to both destinations.
Here is the iRule that I have so far. It works, but the original packet payload is not sent to both backend servers, the literal string "UDP::payload" is sent. I need the original syslog data to be forwarded to both backend syslog servers.
when CLIENT_ACCEPTED {
set hslogger [HSL::open -publisher /Common/syslogger]
}
when CLIENT_DATA {
HSL::send $hslogger UDP::payload
}
1 Reply
Nat_ThirasuttakornEmployee
2 comments
1) you may wrap UDP::payload with square bracket. something like
HSL::send $hslogger [UDP::payload]2) create separate logger for each syslog server, then run HSL multiple times. I rarely test HSL so let's wait for HSL expert to comment on this one 🙂
HSL::send $hslogger1 [UDP::payload] HSL::send $hslogger2 [UDP::payload]
