need help for splunk
Hi Team,
Currently we are facing some issues regarding the following scenario.
Customer has given the requirement as follows:
9 VIPs to be created to load balance syslog traffic (UDP 514). The pool members are listening on UDP and TCP. UDP will be used to receive syslog traffic, and TCP will be used for the load balancer to monitor the pool member. In the event a pool member stops responding on the appropriate TCP port that pool member must be marked down.
example of one vip:
VIP1
Name: VS_abcd_ids_udp514 Address: w.x.y.z Mask: 255.255.255.255 Service Port: UDP 514 SNAT Pool: None Profile: UDP
Pool
Name: Pool_abcd_ids_2514 Member1: w.x.y.z:2514 Member2: w.x.y.z:2514
Monitor TCP 2514
After implementation we observed as foolws:
At first we observed as follows: Response on splunk server user was seeing as it is coming from F5 self ips. The message is something like this F5 "self ip:default send string". After another test requestor told he is not seeing the message.However he wants to see 2 things on his splunk server.
1.The source ips from where the logs are coming 2.He wants to see the real pool member ips instead of load balancer self ips.
I did not get time to capture the traffic. But worrying why requestor did not see the same message ""self ip:default send string" twice?
Why the self ips are showing on splunk server instead virtual server ips at least?
The health monitor i put as UDP instead of TCP since TCP requires a string and user was not sure what to share for same..Although UDP seems ok since servers were showing up....Let me know any consideration here pls.
How can I make the configurations so users can see the source ips from where the logs are coming and also the pool members on splunk..
Can anyone please help with this.....Thanks in advance and happy new year............................