Forum Discussion
Actually I don't like the previous answers because they force you to use the F5 as the default gateway which forces you to waist precious packets per second pushing patches and management traffic through the F5. Not to mention the rules you would have to open for monitoring the back end servers since they would be using the F5 as the default gateway.
A better option would be for the F5 to replace the host field in the original syslog message with the source IP of the packet like Syslog-NG does. Another option would be for it to add text to the original syslog message text such as "Original IP=" like Kiwi Syslog does when it relays syslog messages to multiple servers for storage.
There are also custom options mentioned in the various how to's for standard unix/linux RSYSLOG but I have not dug into them just yet.
As you can tell we are also looking to perform this function using F5. I am just learning F5 coming from Cisco ACE. If I find that this feature exists I will try to update this tread.
In this solution the F5 is not the default gateway, it is one-arm and using SNAT. Since UDP syslog is not stateful we don't have to worry about any response traffic comming back through the BIG-IP so this allows us to SNAT the traffic with the client IP address and forward it on to the SYSLOG server. The server sees the source address of the client and still uses whatever gateway it has configure(not the BIG-IP). No other traffic would need to traverse the BIG-IP. This is actually must faster and less resource intensive than what you've described above, SYSLOG proxy. If you function as a full SYSLOG proxy you are wasting resources rewrite every payload.