Forum Discussion

Kevin_Nail's avatar
Kevin_Nail
Icon for Nimbostratus rankNimbostratus
Sep 17, 2007

syslog-ng and centralized logging

We are trying to find a way to send syslog from the servers behind bigip to a central log server and distinguish what host the message came from. Is there any way to do this?

 

 

Will creating a forwarding IP server to the centralized logging server work? I should also point out that we have default SNAT IPs in place.

 

 

Any help would be appreciated.

 

 

Thanks,

 

Kevin

3 Replies

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    Hi Kevin --

     

     

    With a default SNAT in place, the traffic through a forwarding VS would be SNAT'd.

     

     

    If your server addresses are routable out to the remote syslog server, and UDP is the transport protocol, I think you could configure as follows to preserve source IP even with a default SNAT configured:

     

     

    Virtual server

     

    - Dest: :514

     

    - Type: Standard

     

    - Proto: UDP

     

    - VLAN: Enable on

     

    - Address translation: Enabled

     

     

    Pool

     

    - Members: :514

     

    - Allow SNAT: No

     

     

    HTH

     

    /deb
  • Hi Deb,

     

     

    Thanks for the reply.

     

     

    I am a bit confused. Looks like your answer is dependant on the centralized log server being behind the LTM. Is this correct?

     

     

    What if the log server is not behind the LTM? Could my answer be as simple as disabling the Address Translation (unchecking the box) on the virtual server?

     

     

    THanks,

     

    Kevin

     

     

     

     

  • Deb_Allen_18's avatar
    Deb_Allen_18
    Historic F5 Account
    No, I don't think that will work.

     

     

    The syslog server and the clients initiating the connections to it (the LB servers) will be on opposite sides of the LTM, so you have to build a path through it.

     

     

    Address translation on the virtual server refers to destination address translation, not source address translation. SNAT refers to one method of source address translation.

     

     

    The default SNAT you already have configured will apply unless the traffic traverses a VS with SNAT disabled, and the goal here was to prevent client address translation.

     

     

    To disable SNAT, you need a Standard Virtual Server rather than a forwarding one -- you can't disable SNAT on a forwarding virtual server (except with an iRule).

     

     

    The virtual server must be configured to handle outbound traffic from the LB servers to the syslog server: That's why it's enabled on the server-facing vlan with an address on that subnet.

     

     

    I mis-stated the requirement for address translation in my previous post (corrected now): You would need to leave address translation enabled so the traffic goes to the real remote syslog server address when it leaves LTM.