iRule TCP ip source

Question

Hello guys,
I have my switches on the LAN configured to send the syslog messages to the VIP (via tcp on port 51514 for example) which in turn send the messages to a pool member (syslog server).
My problem is the logs arrives on the server with the IP source from the VIP (as we use SNAT), and we can't know about the real switch that is triggering the logs.
Question: To solve that do I need to configure an iRule? I've seen this iRule below discussed in some discussion, do you think it'll fix my issue?&nbsp;
when CLIENT_ACCEPTED {
    set client [IP::client_addr]
}&nbsp;

youssef1 · Answer

Hi,&nbsp;
Did you try to disable snat? and switch to UDP instead TCP.&nbsp;
because syslog UDP is stateless and don't need 3 way handshake...&nbsp;
I have already encountered this type of problem, and I just added Switch source IP in TCP Syslog datagram. Then in my SIEM I retrieve this IP as source IP.&nbsp;
hope it help you.&nbsp;
regards&nbsp;

Forum Discussion

iRule TCP ip source

1 Reply

Recent Discussions

Advise on setting up IRULE

google autenticator broken barcode

Port Group on F5OS network setting

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Unwinding the Benefits of Investing in White Label Crypto Wallet

Related Content

I need an irule to decline/refuse/ an incomming tcp session from a source to a vip (ip address/port)

F5 TCP Proxy mode

How to ensure source address and source port are accepted and traversed properly via F5 SNAT automap

Help with tcp/http payload irule

Introducing TCP Analytics