Forum Discussion

djzoidberg's avatar
djzoidberg
Icon for Nimbostratus rankNimbostratus
Mar 17, 2021

UDP packet duplication and send them to 2 different pools

Hello everyone,

I have a VIP that is receiving all syslogs of a customer's firewalls. (more or less 350 devices)

The customer needs to send the same an exact copy of each message to another pool.

[SYSLOG MESSAGE]--[POOL 1]--[MEMBER 1 A]
        |                 |-[MEMBER 2 A]
        |                 '-[MEMBER 3 A]
        |
[CLONED MESSAGE]--[POOL 2]--[MEMBER 1 B]
                          '-[MEMBER 2 B]

Do you have some suggestion to obtain this behaviour?

Thanks in advance,

Regards.

EDIT 1

I've tested HSL but it is starting each connection from TMM and it is not possible change the source IP address preserving the original IP.

when CLIENT_ACCEPTED {
    set syslog_pool1 [HSL::open -proto UDP -pool pool_1]
    set syslog_pool2 [HSL::open -proto UDP -pool pool_2]
}
when CLIENT_DATA {
    HSL::send $syslog_pool1 [UDP::payload]
    HSL::send $syslog_pool2 [UDP::payload]
}

5 Replies

    • djzoidberg's avatar
      djzoidberg
      Icon for Nimbostratus rankNimbostratus

      Hello Daniel,

      thank you for answering.

       

      I think that, it is not the right way. Clone pools change the destination mac address and not the destination IP address. Other then that, I have also to balance the traffic on the second pool.

      • Nikoolayy1's avatar
        Nikoolayy1
        Icon for MVP rankMVP

        I also think that clone pools that Daniel says is the option that should be tested. You can also check using iRules to do the same with clone pools command https://clouddocs.f5.com/api/irules/clone.html . You can also check this article for SPAN mirroring https://techdocs.f5.com/en-us/bigip-14-0-0/big-ip-system-passive-monitoring-14-0-0/configuring-the-big-ip-system-for-passive-monitoring.html .

  • These steps might help. I have not validated the client-ip replace logic but can tell you send raw [UDP::payload] works fine in our testing.

    Be sure to match up whatever you decide to use for your Log Publisher name to the reference within the iRule.

     

    1) Create a single pool containing all members that need the duplicated syslog data

    Ex: syslog_pool

    Members:

    10.10.0.100:514

    10.10.0.101:514

    2) Create a new HSL Log Destination

    a) Select your pool from step 1

    b) Select 'UDP' for the protocol

    c) Change distribution type from 'adaptive' to 'replicated'

     

    3) Create a new HSL Log Publisher entitled 'syslog_publisher'

    a) Select the HSL Log Destination from step 2

     

    4) Create a new iRule that will handle the inbound traffic

    when CLIENT_ACCEPTED {

    set payloadLength [UDP::payload length]

    set address [IP::client_addr]

    set addressLength [ string length $address ]

       set hsl [HSL::open -publisher /Common/syslog_publisher]

    }

    when CLIENT_DATA {

       HSL::send $hsl "UDP::payload replace $payloadLength $addressLength $address"

    }

    5) Create a standard virtual server

    a) Assign the appropriate IP and Service Port

    b) Select UDP Protocol

    c) Select UDP Profile

    d) Assign the iRule from step 4

    • steve_michaels's avatar
      steve_michaels
      Icon for Cirrus rankCirrus

      Hi webguy96 we are working with this iRule and we see the raw payload and syslog mesage payload correctly, We want the message format to be syslog format so we used a secondary log destination on the F5 to specify that format. When we do that we are not seeing the original client_Ip address in the mesage sent to our syslog server. Instead we see the F5 self_ip address as the host field. See below. We want to see the data in syslog format as spec in rfc 5424,

      Here is the iRule:

      when CLIENT_ACCEPTED {

      set payloadLength [UDP::payload length]

      set address [IP::client_addr]

      set addressLength [ string length $address ]

      set hsl [HSL::open -publisher /Common/syslog_publisherdup]

      set payloadraw [UDP::payload]

      }

      when CLIENT_DATA {

      HSL::send $hsl "$payloadraw $address"

      }

       

      And here is the what see on our syslog server:

      {
        "message": "<5>Nov 10 11:25:17 uid: test6514 10.1.1.1",
        "severity": 6,
        "facility": 16,
        "host": "f5management.jhuapl.edu",
        "appname": "tmm",
        "procid": "18524",
        "structuredData": "[F5@12276]",
        "severityName": "info",
        "facilityName": "local0",
        "_time": 1668097517.735,
        "_raw": "<134>1 2022-11-10T11:25:17.735353-05:00 f5management.jhuapl.edu tmm 18524 - [F5@12276] <5>Nov 10 11:25:17 uid: test6514 10.1.1.1"
      }