We have a need to load Balance syslog traffic between 2 servers. Created a Standard VS using Service Port 514 that sends traffic to the Pool of 2 Servers. using a global SNAT so on the VS the Source Address Translation is set to none. As we expected when the traffic reaches the Pooled Servers the Source Address/Hostname has been overwritten and shows as the SNAT IP of the Load balancer. Tried getting around this using iRules of slight variations but so far have had no luck when CLIENT_ACCEPTED { if {[IP::addr [IP::client_addr] equals 172.16.0.0/16]}{ snat none } } any thoughts on how to bypass SNAT and get the proper Source Address to the Syslog Servers?

Try changing the Allow SNAT drop down on your pool config to No.

Brad, I tried that and it made no difference. Our SNAT would already be done before it even sends the syslog packet to the Pool Member. From everything I have read on DevCentral the only way I can make this work with our SNAT setup is by using an iRule.

Best solution would to get rid of the global SNAT. They are very limiting. Better off selecting SNATing as appropriate. However, try this. It may override your global SNAT and provide the orginal client IP to the backend if I follow the SNAT processing right. when CLIENT_ACCEPTED { snat [IP::client_addr] }

Thanks Brad, this did the trick On the Pool we changed the Allow SNAT to No On the Virtual Server we changed the Source Address Translation to Auto Map and added the iRule when CLIENT_ACCEPTED { snat [IP::client_addr] }

Actually I don't like the previous answers because they force you to use the F5 as the default gateway which forces you to waist precious packets per second pushing patches and management traffic through the F5. Not to mention the rules you would have to open for monitoring the back end servers since they would be using the F5 as the default gateway. A better option would be for the F5 to replace the host field in the original syslog message with the source IP of the packet like Syslog-NG does. Another option would be for it to add text to the original syslog message text such as "Original IP=" like Kiwi Syslog does when it relays syslog messages to multiple servers for storage. There are also custom options mentioned in the various how to's for standard unix/linux RSYSLOG but I have not dug into them just yet. As you can tell we are also looking to perform this function using F5. I am just learning F5 coming from Cisco ACE. If I find that this feature exists I will try to update this tread.

Load Balancing UDP 514 Syslog traffic

12 Replies

Brad_Parker
Cirrus
Feb 03, 2016
Try changing the Allow SNAT drop down on your pool config to
No
.
Blair_Murray_10
Nimbostratus
Feb 03, 2016
Brad, I tried that and it made no difference. Our SNAT would already be done before it even sends the syslog packet to the Pool Member. From everything I have read on DevCentral the only way I can make this work with our SNAT setup is by using an iRule.
Brad_Parker
Cirrus
Feb 03, 2016
Best solution would to get rid of the global SNAT. They are very limiting. Better off selecting SNATing as appropriate. However, try this. It may override your global SNAT and provide the orginal client IP to the backend if I follow the SNAT processing right.

when CLIENT_ACCEPTED { snat [IP::client_addr] }
Blair_Murray_10
Nimbostratus
Feb 15, 2016
Thanks Brad, this did the trick
On the Pool we changed the Allow SNAT to No
On the Virtual Server we changed the Source Address Translation to Auto Map and added the iRule
when CLIENT_ACCEPTED { snat [IP::client_addr] }
- Subrun
  Cirrostratus
  Mar 05, 2020
  Whats the logic of above while disabling with Allow SNAT to NO and again with iRule do a SNAT ?
  - Brad_Parker
    Cirrus
    Mar 06, 2020
    It's been quite a while since this original post, but I will try to help. There isn't really any logic in setting the pool to not allow SNAT and the iRule. Those were two different suggestions to overcome a global SNAT. The iRule should be sufficient on its own. If there wasn't a global SNAT the easiest solution is to simply turn Source Address Translation to none on the virtual server.
Josh_Walker_308
Nimbostratus
Feb 01, 2017
Actually I don't like the previous answers because they force you to use the F5 as the default gateway which forces you to waist precious packets per second pushing patches and management traffic through the F5. Not to mention the rules you would have to open for monitoring the back end servers since they would be using the F5 as the default gateway.

A better option would be for the F5 to replace the host field in the original syslog message with the source IP of the packet like Syslog-NG does. Another option would be for it to add text to the original syslog message text such as "Original IP=" like Kiwi Syslog does when it relays syslog messages to multiple servers for storage.

There are also custom options mentioned in the various how to's for standard unix/linux RSYSLOG but I have not dug into them just yet.

As you can tell we are also looking to perform this function using F5. I am just learning F5 coming from Cisco ACE. If I find that this feature exists I will try to update this tread.
- Brad_Parker
  Cirrus
  Feb 01, 2017
  In this solution the F5 is not the default gateway, it is one-arm and using SNAT. Since UDP syslog is not stateful we don't have to worry about any response traffic comming back through the BIG-IP so this allows us to SNAT the traffic with the client IP address and forward it on to the SYSLOG server. The server sees the source address of the client and still uses whatever gateway it has configure(not the BIG-IP). No other traffic would need to traverse the BIG-IP. This is actually must faster and less resource intensive than what you've described above, SYSLOG proxy. If you function as a full SYSLOG proxy you are wasting resources rewrite every payload.
lnxraider_29830
Nimbostratus
Jan 25, 2018
As simple as this appears, I cannot successfully replicate the above. I've set up a standard VS and use UDP protocol. The traffic makes it to the backend servers, but the hostname presented to the servers is the loadbalancer's hostname and not that of the client. When using the irule as described, no messages are delivered to the syslog servers.
Geoff
Nimbostratus
Jul 22, 2020
I have not found a solution but, this Irule will break Cisco ACI. It logs all the SNAT IPs and basically puts them in to the ARP database. Then ACI thinks that ever syslog source is in ACI. Then everything in ACI tries to send the traffic to the source IPs it will send it to the F5. Not sure how it works on other systems.
msaunders
Nimbostratus
Jul 28, 2020
I had a similar issue today. I just disabled SNAT on the VIP, and that resolved the issue. It's UDP after all..If you're using 6514, this may not work for you.
Geoff
Nimbostratus
Aug 04, 2020
I am actually still having this problem. Without the SNAT ACI is learning the sending hosts on the LTM ports in ACI causing the ACI database to refresh and marking the real one down. Trying to figure this one out.