UDP Syslog Monitor

Question

I am trying to think of an easy way to monitor the health of ArcSight Collectors listening for UDP Syslog. We have a very high volume syslog environment and want to institute load balancing of the collectors to allow the environment to scale better and to be centralized. We are using a stateless n-path setup as described in the DNS Traffic Management using the BIG-IP Local Traffic Manager white paper (http://www.f5.com/pdf/deployment-gu...ing-dg.pdf). With DNS you can create a nice clean little UDP monitor since you are expecting a response to your query, but in the case of syslog, you get nothing in response.&nbsp;
One thought was to just create an external monitor and query the collectors using SNMP and check the status of various services, but this may miss something if we are not looking at everything. Anyone out there doing something similar or have any novel ideas?&nbsp;
Thanks --Mike&nbsp;
 &nbsp;

hamish · Answer

If you enable tcp syslog (syslog-ng) you can send the logs via a tcp connection rather than a fire &amp; forget UDP message. Does the ArcSight collector have a tcp option? 
&nbsp;  
&nbsp; If you really need UDP then you probably need to combine an ICMP query with a UDP message... ICMP checks the box is up/down. Then the UDP will get nothing back IF the syslog receiver is listening, and SHOULD receive an ICMP port closed message if nothing is listening but the server is up. I'm not sure if a UDP monitor looks for the ICMP coming back if nothing is listening... It might, but I haven't checked. if it doesn't you'll need to do this as an external monitor. 
&nbsp;  
&nbsp; H

steven_j__willi · Answer

Did you ever figure this out? I am up against the same challenge at this point with monitoring RADIUS servers. &nbsp;

Forum Discussion

UDP Syslog Monitor

2 Replies

Recent Discussions

Help with URL Masking

Import PKCS 12 SSL to Device Certificate via API/Script or CLI on BIG-IP

F5 iRule to replace host to path

Chrome V 124+ on MacOS - Virtual Server Access Issue

F5 Rseries R2600 Tenant sizing

Related Content

UDP Datagram LB

BIGIP unable to send tcp/udp packets to syslog servers

UDP TCP Packet Duplication

Tcp syslog

Custom Header Monitor UDP