Forum Discussion

Subrun's avatar
Icon for Cirrostratus rankCirrostratus
Feb 26, 2020

SysLog UDP Load Balancing



1st of all I require some guideline/suggestion here. I am configuring a Virtual Server from F5 listening on 514 and translating port to 8514 at backend servers. Idea is Systems will send the syslog through this F5 and F5 VIP will eventually send logs to Backend Syslog Connectors.


Traffic Flow is like below


Client >> F5 VIP_IP [] ( Service Port 514 ) ( UDP Profile with FastL4 Profile ) -- >> Backend Syslog Connector, 7 on 8514 Port.


Clearly to specify VIP IP and Backend IP are in the same subnet hence I do not need to enable SNAT. Also I was thinking if I enable SNAT at backend how do they identify actually who send the Log. What is the Guideline for this to make sure Syslog can see actual source and Syslog Servers follow return traffic through F5 ?. ( Note that Servers gateway are at Network Device not in F5 )


Also if I set monitor TCP or Gateway ICMP Pool Goes Down. Pool is live only if I set Monitor as UDP. Why is that ?


How I should check that UDP Traffic is load balanced. But this is less important as I need to be sure about the Traffic Flow.


Please advise.



Below is the Virtual Server Config


tmsh list ltm virtual Virtual_Server all-properties

[api-status-warning] ltm/virtual, properties : deprecated : mobile-app-tunnel, urldb-feed-policy


ltm virtual Virtual_Server {

  address-status yes

  app-service none

  auth none

  auto-lasthop default

  bwc-policy none

  clone-pools none

  cmp-enabled yes

  connection-limit 0

  creation-time 2020-02-25:18:47:05

  description "Supports Syslog"



  fallback-persistence none

  flow-eviction-policy none

  gtm-score 0

  ip-protocol udp

  last-hop-pool none

  last-modified-time 2020-02-25:20:04:58


  metadata none

  mirror disabled

  mobile-app-tunnel disabled

  nat64 disabled

  partition Common

  per-flow-request-access-policy none

  persist none

  policies none

  pool SYSLOG_Pool

  profiles {

    fastL4 {

      context all



  rate-class none

  rate-limit disabled

  rate-limit-dst-mask 0

  rate-limit-mode object

  rate-limit-src-mask 0

  related-rules none

  rules none

  security-log-profiles none

  service-down-immediate-action none

  service-policy none


  source-address-translation {

    pool none

    type none


  source-port preserve

  syn-cookie-status not-activated

  traffic-classes none

  traffic-matching-criteria none

  translate-address enabled

  translate-port enabled

  transparent-nexthop none

  urldb-feed-policy none

  vlans {




  vs-index 97








8 Replies

  • You're setup is essentially one-armed LB. You must have a SNAT enabled so that traffic returns through BIG-IP; the SYSLOG messages should be in the UDP payload anyway, so I don't think there would be a problem using SNAT.


    Regarding your monitors, yes SYSLOG can also work over TCP 514 but is your server listening on TCP as well as UDP? Either way, I would suggest it makes more sense to have a UDP monitor in this case. Not that I like UDP monitors, but you might need to use it along with a secondary monitor (it's only UDP!). If you can ping or telnet to your servers from F5, then TCP and ICMP should work. Not sure why you want to use gateway_icmp as opposed to just ICMP.


    A quick google, brings up this article:


    To check the LB of your pool, look at the stats.

  • Having F5 VIP and backend server in same subnet does not mean SNAT is not required. If you do not want to enable SNAT, your syslog server default gateway should be F5 so it will complete the session. Else you must have SNAT enabled to complete session.


    Hope it helps!



  • Subrun's avatar
    Icon for Cirrostratus rankCirrostratus

    Thank You Both of you for reply.


    But Look like SysLog team is not able to get the Actual Source from Syslog Payload. So from F5 side what I can do while this is also not possible to set the Gateway of Backend Servers to F5 rather than now at L3 Network Firewall ?

  •   Then you can configure X-Forwarder-For under http profile. So F5 will add client IP under http header and send it to syslog server. So syslog will be able see source IP address with SNAT enabled on F5.

    But there is configuration to be done on syslog/server end too in order to extract http header.


    Ref link -



  • Subrun's avatar
    Icon for Cirrostratus rankCirrostratus

    Hello Mayur,


    If You see attached image there is no HTTP Profile as this is a Performance Layer 4 VIP and Service Port is listening on 514 UDP Port. Hence it does not allow me to set that ( X-Forwarded ) option from HTTP Profile.


    • danmassa7's avatar
      Icon for Nimbostratus rankNimbostratus

      We are also standing up a VIP to receive UDP syslog traffic on 514.  We then want to send it to a cluster of back-end LogStash servers on UDP port 6008.

      Since UDP syslog is unacknowledged uni-directional traffic it seems we don't need to setup an SNAT.   Without the SNAT the packet with its original src addr will arrive at the LogStash servers.

      Does that sound fine?  That's what we were planning, but have not put it in place yet.