Getting Data In
Highlighted

Heavy Forwarder Load Balancing syslog data to F5 VIPs

Path Finder

We are on 7.2.5.1. My outputs is sending incoming Windows logs out to 2 F5 VIPs via a syslog stanza. The data is going out and only ever hits the first vip in the server= line in the stanza

[syslog:testgroup]
priority = NO
PRI
server = 10.X.X.1:514,10.X.X.2:514
type = udp

The .1 is receiving all of the data on the F5 and the HF never seems to switch over to the .2 IP.

Any help would be greatly appreciated.

0 Karma
Highlighted

Re: Heavy Forwarder Load Balancing syslog data to F5 VIPs

Communicator

I have a lot of questions.. can you clarify:

  • What are your incoming Windows Logs so we can understand if these are generic OTS Windows logs or if they are syslog in nature?
  • How these incoming Windows Logs sitting on the HF you mentioned in your title or from other UFs maybe?
  • Are these 2 F5 VIPs doubling as indexers for your Splunk architecture or do these incoming logs get to indexers at some point?
0 Karma
Highlighted

Re: Heavy Forwarder Load Balancing syslog data to F5 VIPs

Path Finder

They are wineventlog - app/sec/sys

They are coming in to the HF via UF.

The data gets sent to an index cluster via another app/stanza on the HF and they look fine in Splunk.

Thanks!

0 Karma
Highlighted

Re: Heavy Forwarder Load Balancing syslog data to F5 VIPs

Communicator

Are you sending these as [syslog] to the 2 F5 VIPs because that is the only port open on those hosts?
Is the indexer cluster stanza using [syslog] and has to send via port 514(UDP) too?

0 Karma
Highlighted

Re: Heavy Forwarder Load Balancing syslog data to F5 VIPs

Path Finder

No, the indexers are receiving the data via standard Splunk indexer port 9997. I'm sending via syslog to the F5 because thats the way the host behind the VIPs wants to see it.

0 Karma
Highlighted

Re: Heavy Forwarder Load Balancing syslog data to F5 VIPs

Motivator

Your configuration is not correct for what you're trying to accomplish.

The "server" parameter in the [syslog] stanza takes only a single IP:PORT and is where you define the address to your syslog server (singular).
This parameter is not for load balancing, and is the reason only one of your two defined IP's is receiving data.

https://docs.splunk.com/Documentation/Splunk/8.0.1/Admin/Outputsconf#Syslog_output----

0 Karma
Highlighted

Re: Heavy Forwarder Load Balancing syslog data to F5 VIPs

Motivator

I'm assuming that you are using two F5's for redundancy, but you can configure a single VIP across two clustered F5's (much easier in haproxy), and that would solve your issue.

0 Karma
Highlighted

Re: Heavy Forwarder Load Balancing syslog data to F5 VIPs

Path Finder

Currently the 2 VIPs are on one F5. We had one VIP going to a 2 IP pool but saw that traffic was only going to a single IP in the pool. So we are now trying 2 VIPs with the 2 IPs in the pool's flipped so the first VIP goes to .3 and .4 in the pool and the second VIP goes to .4 and .3 in the pool. Make sense?

0 Karma
Highlighted

Re: Heavy Forwarder Load Balancing syslog data to F5 VIPs

Path Finder

Thanks, so do something like this?

[syslog]
defaultGroup = syslog:testgroup1, syslog:testgroup2
type = udp
priority = NO_PRI

[syslog:test_group1]
server = 10.X.X.1:514

[syslog:test_group2]
server = 10.X.X.2:514

0 Karma
Highlighted

Re: Heavy Forwarder Load Balancing syslog data to F5 VIPs

Motivator

It's a bit of a one-off configuration, and I'm not sure your results will be consistent, but this config combo should work. Though I can't be certain you won't get duplicate data.

[syslog]
defaultGroup = syslog:testgroup1, syslog:testgroup2
type = udp
priority = NO_PRI

[syslog:test_group1]
server = 10.X.X.1:514

[syslog:test_group2]
server = 10.X.X.2:514

0 Karma