Getting Data In

F5 Syslog Load Balancing

splunker52
New Member

Hi,

We setup an F5 VIP to load balance syslog input to several heavy forwarders on UDP 514.  We're successfully receiving syslog events through the F5 VIP from several sources, but for some reason the syslogs from our vmware environment are not being accepted.  Network tracing on the F5 VIP shows vmware sources making connections to the front end VIP and the back-end HF's, but the syslogs are not being accepted and processed by the HF's.  We've taken one VMWare server and directed syslogs straight to one of the HF's (bypassing the F5), and this works.  Any suggestions on what might be happening when sending the vmware syslogs through the F5 that would cause them to not be accepted\received by the HF's?  The inputs.conf file has also been configured with all the VMware sources to accept syslog input from.

Thank you.

Labels (1)
0 Karma

codebuilder
SplunkTrust
SplunkTrust

Do you have the X-Forwarded-For header configured on your F5?
If not, your forwarders will get the SNAT IP and not the originating host. So if you have inputs.conf configured with the originating host IP (vmware) then those events will never match an input.

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

splunker52
New Member

No, we do not have that configured, but the "Source Address Translation" setting on the VIP is set to "None".  Not an F5 expert here, but my understanding is that with this setting set to "None" that the true vmware source IP's would then be visible to the HF's in the VIP pool.  This works for other syslog sources coming through the VIP,.

0 Karma

codebuilder
SplunkTrust
SplunkTrust

What does your inputs.conf look like? And have you checked splunkd logs for any connection issues?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma

splunker52
New Member

Haven't looked at splunkd logs at this point, but will do that as soon as I can.  As for inputs.conf, here's a snippet--have tried both ip and dns connection_host options (removed the actual source fqdn and IP for this post)

[udp://sourcefqdn:514]
index = vmware-esxilog
sourcetype = vmw-syslog
connection_host = dns
disabled = false

[udp://sourceipaddress:514]
index = vmware-esxilog
sourcetype = vmw-syslog
connection_host = ip
disabled = false

0 Karma

codebuilder
SplunkTrust
SplunkTrust

Those both look fine. Did you cycle Splunk after making changes to inputs.conf?

And/or do you have a firewall running that might be blocking the port?

----
An upvote would be appreciated and Accept Solution if it helps!
0 Karma
Get Updates on the Splunk Community!

What's new in Splunk Cloud Platform 9.1.2312?

Hi Splunky people! We are excited to share the newest updates in Splunk Cloud Platform 9.1.2312! Analysts can ...

What’s New in Splunk Security Essentials 3.8.0?

Splunk Security Essentials (SSE) is an app that can amplify the power of your existing Splunk Cloud Platform, ...

Let’s Get You Certified – Vegas-Style at .conf24

Are you ready to level up your Splunk game? Then, let’s get you certified live at .conf24 – our annual user ...