Forum Discussion

Mist

Jun 23, 2026

Query on source IP preservation for syslog traffic through F5 virtual server

Hi All,

We have an F5 virtual server that load balances Syslog traffic (UDP/514) to multiple log collectors.

We are considering enabling SNAT Automap on the virtual server, but we still need the Splunk collectors to see the original source IP address of the devices sending the logs.

Since this is UDP Syslog traffic and not HTTP/HTTPS, X-Forwarded-For is not an option.

Has anyone implemented a solution where SNAT is enabled on F5 but the backend SIEM servers can still identify the actual client IP? Any suggestions or best practices would be appreciated.

Thanks.

No RepliesBe the first to reply

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

GitHub Awesome-F5

Forum Discussion

Query on source IP preservation for syslog traffic through F5 virtual server

SSO Login Update Coming to DevCentral

Kevin - June 2026 Featured F5er

Tyler - May 2026 Featured Member

Recent Discussions

simultaneous disabling / enabling of all LTM objects

rSeries: config changes in logs

qkview: revealing pool members & pools

Query on source IP preservation for syslog traffic through F5 virtual server

F5 VE WAF FINE TUNING

Related Content

F5 Container Ingress Services (CIS) and using k8s traffic policies to send traffic directly to pods

HTTP POST redirect preserving POST data

F5 Distributed Cloud - Traffic Steering based on Client IP Address

Intent-Based Load Balancing for AI Traffic on BIG-IP

F5 BIG-IP PEM telling the Service Provider's traffic story

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS