Forum Discussion
Query on source IP preservation for syslog traffic through F5 virtual server
Hi All,
We have an F5 virtual server that load balances Syslog traffic (UDP/514) to multiple log collectors.
We are considering enabling SNAT Automap on the virtual server, but we still need the Splunk collectors to see the original source IP address of the devices sending the logs.
Since this is UDP Syslog traffic and not HTTP/HTTPS, X-Forwarded-For is not an option.
Has anyone implemented a solution where SNAT is enabled on F5 but the backend SIEM servers can still identify the actual client IP? Any suggestions or best practices would be appreciated.
Thanks.
3 Replies
Hii
how r u?
In simple word, you can´t.If you used SNAT, the F5 device replace the with self-ip or SNAT address configurated.
But, why razon you need used SNAT? Asymmetric traffic in your network? I need more context of your problem.
I'll be waiting to help with the solution.
- yadvendra
Nimbostratus
Hello Jose, Thanks for your reply..
We are considering enabling SNAT Automap because, with SNAT disabled, ACI is seeing the same source IP from multiple locations and marking some endpoints as rogue. Original interface where the sender is present and again the interface where F5 is connected
Hi yadvendra,
Setting the SNAT option to “none” may be helpful. Since UDP syslog is unidirectional, logs can usually reach the SIEM without SNAT, provided that the SIEM does not send a response.
Another option: If the devices sending logs include their own IP addresses in the log by adding them as the “source” parameter, this parameter can be evaluated during the parsing process on the SIEM side.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com