Forum Discussion
Syslog virtual server
- Aug 18, 2025
Hello nurairtt91
To resolve your RPF issue, you'll need to enable SNAT on the F5 virtual server while preserving the original source IP within the syslog payload itself.
This requires your syslog collector to be capable of extracting the source IP from the message content rather than relying on packet headers.
The optimal solution would be configuring your devices to include their own IP addresses directly in the log messages.
However, if this isn't feasible, you can implement payload manipulation on the F5 using an iRule to inject the original source IP into each syslog message before forwarding to the collector.
You can try this irulewhen CLIENT_ACCEPTED { set original_source [IP::client_addr] } when CLIENT_DATA { TCP::collect } when SERVER_DATA { set syslog_data [TCP::payload] set modified_data "OriginalIP:$original_source $syslog_data" TCP::payload replace 0 [TCP::payload length] $modified_data TCP::release }
Hello nurairtt91
To resolve your RPF issue, you'll need to enable SNAT on the F5 virtual server while preserving the original source IP within the syslog payload itself.
This requires your syslog collector to be capable of extracting the source IP from the message content rather than relying on packet headers.
The optimal solution would be configuring your devices to include their own IP addresses directly in the log messages.
However, if this isn't feasible, you can implement payload manipulation on the F5 using an iRule to inject the original source IP into each syslog message before forwarding to the collector.
You can try this irule
when CLIENT_ACCEPTED {
set original_source [IP::client_addr]
}
when CLIENT_DATA {
TCP::collect
}
when SERVER_DATA {
set syslog_data [TCP::payload]
set modified_data "OriginalIP:$original_source $syslog_data"
TCP::payload replace 0 [TCP::payload length] $modified_data
TCP::release
}
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com