For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

GeneUWG_150657's avatar
GeneUWG_150657
Icon for Nimbostratus rankNimbostratus
Jul 22, 2015

Routing udp syslog through F5 LTM without losing source IP

I am trying to figure out how to route udp syslog messages through my F5's without it modifying the source IP. I can get the messages through when I setup a "Standard" virtual server with Auto Map enabled but that changes the IP. No other setting I have tried actually lets the message get to the backend nodes. Any help would be greatly appreciated.

 

FWIW, the use case here is this:

 

(udp syslog from switches) -> LTM -> (pool of Logstash servers) -> Redis -> (Logstash indexer) -> Elasticsearch

 

The reason for the LTM is both HA and load balancing. The LTM is in an active / standby pair and there are multiple Logstash servers in the pool. This gives me both reliability and performance.

 

application delivery
design
LTM
rsyslog
syslog
syslog-ng

3 Replies

  • Simon_Blakely's avatar
    Simon_Blakely
    Icon for Employee rankEmployee
    Nov 20, 2017

    I am having an issue understanding why UDP syslog packets are requiring SNAT - there is no reply packet for syslog, so nothing need to go back to the LTM/client.

     

    Is there a firewall that is blocking packets that do not have the appropriate source address (i.e. an LTM address)?

     

    Maybe you need a packet capture to see where the packets are going once they leave the LTM.

     

  • kridsana's avatar
    kridsana
    Icon for Cirrocumulus rankCirrocumulus
    Jul 23, 2015

    I'm not sure about UDP.

     

    but Can logstash server have F5 as default gateway? So you don't need to enable snat automap.