For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

Kevin_Nail's avatar
Kevin_Nail
Icon for Nimbostratus rankNimbostratus
Sep 17, 2007

syslog-ng and centralized logging

We are trying to find a way to send syslog from the servers behind bigip to a central log server and distinguish what host the message came from. Is there any way to do this?     Will creating ...
config
design
Deb_Allen_18's avatar
Deb_Allen_18
Historic F5 Account
Oct 04, 2007
No, I don't think that will work.

 

 

The syslog server and the clients initiating the connections to it (the LB servers) will be on opposite sides of the LTM, so you have to build a path through it.

 

 

Address translation on the virtual server refers to destination address translation, not source address translation. SNAT refers to one method of source address translation.

 

 

The default SNAT you already have configured will apply unless the traffic traverses a VS with SNAT disabled, and the goal here was to prevent client address translation.

 

 

To disable SNAT, you need a Standard Virtual Server rather than a forwarding one -- you can't disable SNAT on a forwarding virtual server (except with an iRule).

 

 

The virtual server must be configured to handle outbound traffic from the LB servers to the syslog server: That's why it's enabled on the server-facing vlan with an address on that subnet.

 

 

I mis-stated the requirement for address translation in my previous post (corrected now): You would need to leave address translation enabled so the traffic goes to the real remote syslog server address when it leaves LTM.