Forum Discussion

Xepik's avatar
Xepik
Icon for Nimbostratus rankNimbostratus
Nov 20, 2024

Get actual client ips in splunk

We are in the detect and respond have request to enhance logging capabilities of a load balancer. Since all traffic going through F5 and we need actual client ips in splunk for verify the logs. please let us know best way to enable the same. we are using tcp /udp 514 for logs.

 

thank

Xe

security
  • Aswin_mk's avatar
    Aswin_mk
    Nov 20, 2024

    Hi,

    When the BIG-IP uses NAT for all IP addresses on it's Origin setting, outbound connection to the pool members (nodes/backend servers) will be the NAT IP address.
    The pool members (nodes/backend servers) will not be able to see the real client IP address as it will see the NAT IP address on the BIG-IP.

    If the pool is a HTTP webserverX-Forwarded-For HTTP header can be used.

    However for non-HTTP pool servers, the BIG-IP NAT will need to be disabled to allow the client IP to be the source IP address when hitting the pool.

     

    Please go through the link and you will get more details from it - Get Client IP when F5 BIG-IP is using NAT 

     

    As your Splunk is working on 514 ports, you have to try with the second option (NAT will need to be disabled). But you have to check if server receive logs or not (there will be asymmetric routing issue some time).

    BR,
    Aswin

     

  • Aswin_mk's avatar
    Aswin_mk
    Icon for Cumulonimbus rankCumulonimbus
    Nov 20, 2024

    Hi Xe,

     

    There are 2 options, but i dont think it's possible in traffic flow. Could you please confirm if you have any issues in traffic flow if you disable snat in the splunk VIP?

     

    BR
    Aswin

  • Aswin_mk's avatar
    Aswin_mk
    Icon for Cumulonimbus rankCumulonimbus
    Nov 20, 2024

    Hi,

    When the BIG-IP uses NAT for all IP addresses on it's Origin setting, outbound connection to the pool members (nodes/backend servers) will be the NAT IP address.
    The pool members (nodes/backend servers) will not be able to see the real client IP address as it will see the NAT IP address on the BIG-IP.

    If the pool is a HTTP webserverX-Forwarded-For HTTP header can be used.

    However for non-HTTP pool servers, the BIG-IP NAT will need to be disabled to allow the client IP to be the source IP address when hitting the pool.

     

    Please go through the link and you will get more details from it - Get Client IP when F5 BIG-IP is using NAT 

     

    As your Splunk is working on 514 ports, you have to try with the second option (NAT will need to be disabled). But you have to check if server receive logs or not (there will be asymmetric routing issue some time).

    BR,
    Aswin

     

  • Xepik's avatar
    Xepik
    Icon for Nimbostratus rankNimbostratus
    Nov 20, 2024

    Hi Aswin,

     

    Thanks for the fast one. We are not tried anything in f5. It was managed by different team previously. Could you please explain the possible ways for us.

     

    Xe