Forum Discussion

jitu's avatar
jitu
Icon for Nimbostratus rankNimbostratus
Jul 17, 2017

Syslog traffic need to send ArcSight ESM as clone pool (Duplicate), Source IP is not preserve when sending duplicate syslog message to Arcsight

Hi, We have configured Syslog VIP for both UDP and TCP port, there are 2 Backend syslog Servers and configuration is perfectly working in Syslog VIP, we have disable SNAT so that Syslog servers can s...
application delivery
iRules
LTM
Jason_Adams's avatar
Jason_Adams
Ret. Employee
Jul 17, 2017

Thanks to hoolio (here), we were able to use the following iRule to achieve the desired functionality through the use of Sideband Connections:

when CLIENT_ACCEPTED {
    set clientaddr [IP::client_addr]

      
    if { ([class match $clientaddr equals log_clone_address_list_updated]) } {

         Open a sideband connection with the clone syslog pool
        if {[catch { connect -protocol UDP -myaddr $clientaddr 10.220.20.14:514 } conn_id ] == 0 && $conn_id ne ""} {

             Save UDP Payload data to send
            set data "[UDP::payload]"

             Send the data with a 2ms timeout on the connection identifier received from the connect command
            set send_bytes [send -timeout 5 -status send_status $conn_id $data]

             Log the number of bytes sent and the send status
            log local0. "Sent $send_bytes with status $send_status"
        }
    }
    else {
         log local0. "$clientaddr: log data NOT cloned"
    }
}