Technical Forum
Ask questions. Discover Answers.
cancel
Showing results for 
Search instead for 
Did you mean: 

F5 VIP listens on udp port 514 and forwards to all servers in pool

Jeff_Wise
Nimbostratus
Nimbostratus

Need to configure a VIP to receive syslog messages on udp 514 and then forward to all 3 servers in pool.

 

6 REPLIES 6

Rico
Cirrus
Cirrus

You can configure a UDP VIP just like you would a TCP VIP. The only change needed is to change the protocol profile to UDP. The magic of BIG-IP will take care of the rest!

 

DennisJann
Nimbostratus
Nimbostratus

I had a similar requirement and came across this answer to use High-Speed Logging:

 

https://devcentral.f5.com/questions/is-there-a-way-for-a-single-request-to-be-received-by-all-pool-m...

 

I wound up creating three pools (e.g., syslog_514_pool1, syslog_514_pool2, syslog_514_pool3), each containing a single syslog server.

 

Then created the following iRule to duplicate the traffic.

 

ltm rule syslog_message_duplication_rule { when CLIENT_ACCEPTED { set syslog_pool1 [HSL::open -proto UDP -pool syslog_514_pool1] set syslog_pool2 [HSL::open -proto UDP -pool syslog_514_pool2] set syslog_pool3 [HSL::open -proto UDP -pool syslog_514_pool3] } when CLIENT_DATA { HSL::send $syslog_pool1 [UDP::payload] HSL::send $syslog_pool2 [UDP::payload] HSL::send $syslog_pool3 [UDP::payload] } }

Apply the iRule to your port 514 UDP VIP.

 

ltm virtual vs_syslog_514 { destination 10.1.2.3:514 ip-protocol udp mask 255.255.255.255 profiles { udp { } } rules { syslog_message_duplication_rule } source 0.0.0.0/0 translate-address enabled translate-port enabled }

We've been using the above configuration in production for about 6 months and the team that manages syslog services has been satisfied with the solution.

 

Alternately, you could take a look at this iApp:

 

https://devcentral.f5.com/codeshare/udp-tcp-packet-duplication

 

AndreasWall
Nimbostratus
Nimbostratus

I have the same scenario and I like the simplicity in the suggested solution. I on the other hand have netflow that I want to duplicate to two different flow collectors.

I tested it and packets are duplicated towards the two destinations but the source address is set to the self IP of the F5.

I tried adding snat under the CLIENT_ACCEPTED section and setting it to the client source address but it did not make any difference.

Is there a way to preserve the source IP address when using HSL::open/HSL::send?

 

Yesterday I found out that HSL::send will use the self ip of the outgoing interface. Using the snat command will make no difference.

HSL sends logs from TMM, unlike native syslog-ng which uses mgmt. To get the mgmt, i think you have to create a static route table.

webguy96
Nimbostratus
Nimbostratus

You could simplify this even a bit further by placing all (3) pool members into a single pool and switching from the default distribution of 'adaptive' to 'replicated' for your Log Publisher Destination combined with following iRule.

 

when CLIENT_ACCEPTED {

  set hsl [HSL::open -publisher /Common/syslog_publisher]

}

when CLIENT_DATA {

  HSL::send $hsl "[UDP::payload]"

}