Forum Discussion

Mitch_Maxwell_M's avatar
Mitch_Maxwell_M
Icon for Nimbostratus rankNimbostratus
May 11, 2017

Syslog and TCP

Working on an environment where a VIP was set up for asyslog environment. Syslog collection was receiving a very high volume of logs (over 200k per second).

 

The original setup was a stateless UDP VIP that did a very nice job of balancing the load across pools of servers (50).

 

Decision was made to move syslog to TCP to avoid losing syslog messages in transit. Now the behavior is an imbalance among the servers both from tcp connections (the servers typically keep a tcp connection open, so traffic doesn’t balance quickly to new servers), as well as some sending clients will send much higher volume of logs than others.

 

Is there a different VIP type that would better balance the traffic? Any other thoughts to get a better balance on a per-message basis while using TCP?

 

  • Did you try load balance with MBLB profile and iRule? Don't know if it will fully work in this case, but, I would try this approach.

     

  • ralphw's avatar
    ralphw
    Icon for Nimbostratus rankNimbostratus

    I'm looking for a solution to this as well.  We need to be able to use the F5 as a load balancer for TCP Syslog, as some sources are very chatty, and overwhelm the connection that persists to a single server.

    We would prefer that traffic be load balanced across the pool members, round-robin style, for each syslog packet.

    1) Can the F5 determine when a syslog packet ends?

    2) If #1 is true, then we need to be able to send 33% of the Syslog packets to each of the three pool members?

    We can do iRules, but we need to be able to handle 300,000 EPS, during our busy hours.