Forum Discussion
NimbostratusSyslog traffic need to send ArcSight ESM as clone pool (Duplicate), Source IP is not preserve when sending duplicate syslog message to Arcsight
Hi, We have configured Syslog VIP for both UDP and TCP port, there are 2 Backend syslog Servers and configuration is perfectly working in Syslog VIP, we have disable SNAT so that Syslog servers can see the original client IP. Now when there is a requirement came for duplicate the syslog messages to ArcSight ESM and we have setup the Arcsight IP as a clone pool and apply a irule to clone the syslog traffic to arcsight console , the irule is working fine but problem we are facing on preserving the original Client IP in syslog message when it is reached the Arcsight console, we are seeing the logs all are sourced by F5 interface IP and Arcsight is not able to do reverse Engineering to find out the original source. But we are seeing the source IP in Syslog servers.
Any idea or help will be greatly appreciated.
Thanks,
- Jason_Adams
Employee
Thanks to hoolio (here), we were able to use the following iRule to achieve the desired functionality through the use of Sideband Connections:
when CLIENT_ACCEPTED { set clientaddr [IP::client_addr] if { ([class match $clientaddr equals log_clone_address_list_updated]) } { Open a sideband connection with the clone syslog pool if {[catch { connect -protocol UDP -myaddr $clientaddr 10.220.20.14:514 } conn_id ] == 0 && $conn_id ne ""} { Save UDP Payload data to send set data "[UDP::payload]" Send the data with a 2ms timeout on the connection identifier received from the connect command set send_bytes [send -timeout 5 -status send_status $conn_id $data] Log the number of bytes sent and the send status log local0. "Sent $send_bytes with status $send_status" } } else { log local0. "$clientaddr: log data NOT cloned" } }
