For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

djzoidberg's avatar
djzoidberg
Icon for Nimbostratus rankNimbostratus
Mar 17, 2021

UDP packet duplication and send them to 2 different pools

Hello everyone, I have a VIP that is receiving all syslogs of a customer's firewalls. (more or less 350 devices) The customer needs to send the same an exact copy of each message to another pool. ...
application delivery
BIG-IP
LTM
webguy96's avatar
webguy96
Icon for Nimbostratus rankNimbostratus
May 25, 2021

These steps might help. I have not validated the client-ip replace logic but can tell you send raw [UDP::payload] works fine in our testing.

Be sure to match up whatever you decide to use for your Log Publisher name to the reference within the iRule.

 

1) Create a single pool containing all members that need the duplicated syslog data

Ex: syslog_pool

Members:

10.10.0.100:514

10.10.0.101:514

2) Create a new HSL Log Destination

a) Select your pool from step 1

b) Select 'UDP' for the protocol

c) Change distribution type from 'adaptive' to 'replicated'

 

3) Create a new HSL Log Publisher entitled 'syslog_publisher'

a) Select the HSL Log Destination from step 2

 

4) Create a new iRule that will handle the inbound traffic

when CLIENT_ACCEPTED {

set payloadLength [UDP::payload length]

set address [IP::client_addr]

set addressLength [ string length $address ]

   set hsl [HSL::open -publisher /Common/syslog_publisher]

}

when CLIENT_DATA {

   HSL::send $hsl "UDP::payload replace $payloadLength $addressLength $address"

}

5) Create a standard virtual server

a) Assign the appropriate IP and Service Port

b) Select UDP Protocol

c) Select UDP Profile

d) Assign the iRule from step 4

steve_michaels's avatar
steve_michaels
Icon for Cirrus rankCirrus
Nov 10, 2022

Hi webguy96 we are working with this iRule and we see the raw payload and syslog mesage payload correctly, We want the message format to be syslog format so we used a secondary log destination on the F5 to specify that format. When we do that we are not seeing the original client_Ip address in the mesage sent to our syslog server. Instead we see the F5 self_ip address as the host field. See below. We want to see the data in syslog format as spec in rfc 5424,

Here is the iRule:

when CLIENT_ACCEPTED {

set payloadLength [UDP::payload length]

set address [IP::client_addr]

set addressLength [ string length $address ]

set hsl [HSL::open -publisher /Common/syslog_publisherdup]

set payloadraw [UDP::payload]

}

when CLIENT_DATA {

HSL::send $hsl "$payloadraw $address"

}

 

And here is the what see on our syslog server:

{
  "message": "<5>Nov 10 11:25:17 uid: test6514 10.1.1.1",
  "severity": 6,
  "facility": 16,
  "host": "f5management.jhuapl.edu",
  "appname": "tmm",
  "procid": "18524",
  "structuredData": "[F5@12276]",
  "severityName": "info",
  "facilityName": "local0",
  "_time": 1668097517.735,
  "_raw": "<134>1 2022-11-10T11:25:17.735353-05:00 f5management.jhuapl.edu tmm 18524 - [F5@12276] <5>Nov 10 11:25:17 uid: test6514 10.1.1.1"
}