Preserve source hostname with f5 and rsyslog

vonsolo29 · ‎01-03-2019

We are in the process of using two syslog servers to collect network data. We have an F5 that we use to load balance traffic to the two syslog servers. Data coming into the syslog servers from the F5 has the loadbalancer ip and not the source ip. How do we get around this since our templates/filters are looking for hostname or source ip to filter data.

FrankVl · ‎01-07-2019

If it is UDP syslog, you can simply configure the F5 to keep the original IP address and not perform Source-NAT.

For TCP that is a bit more complicated, since TCP requires two-way communication and the responses from your syslog servers also need to run through your F5's, otherwise the sending devices will get confused as they get TCP responses from an unknown IP. It is possible though. I believe you need to put the F5 and your syslog servers in the same subnet and make the F5 the default gateway of your syslog servers. For details you probably best talk to the team managing your F5's, this is not really a Splunk issue.

Alternatively of course, you can try to make sure that all the original syslog devices properly put their hostname in the message. So you can use that, instead of the IP/hostname observed from the network layer.

ewan000 · ‎01-04-2019

Does your f5 add a "fowarded for:" header? this is the usual way of passing the ip to receiving servers and you could capture and log it

ewan000 · ‎01-04-2019

sorry i missed the syslog part, check this out https://serverfault.com/questions/307355/syslog-forwarding-loses-original-hostname

Preserve source hostname with f5 and rsyslog

Introducing the 2024 SplunkTrust!

Introducing the 2024 Splunk MVPs!

Splunk Custom Visualizations App End of Life