Working through a training session on iRules, did a lab exercise comparing timing stats on log versus HSL::send. Surprisingly, the same iRule performed considerably better with local logging than it did with high speed logging over UDP. It wasn't a confidence booster in HSL.
One of the other class attendees (an F5 proserv consultant) mentioned that because it's single local user load on a virtual Big-IP, it's still within the region of the performance graph where local logging is more efficient. Has anyone seen this graph, where HSL overtakes local logging? I have some iRules in production I was thinking about retrofitting for some additional logging using HSL, but now I'm concerned that adding the load to these rules (my debugging logging is all commented out in production) may be more detrimental than beneficial.
Really? What did you use to time them? And what was the config? And what did the code look like? Did you re-open the HSL every event? or just at connection accept time?
There's one really important distinction to make here, and that's that local Syslog and HSL aren't really comparable. Local Syslog is, well, local. It has fast track access to the local Syslog service through tmm. HSL on the other hand is designed for sending Syslog messages off-box and would be more comparable with modifying Syslog-ng to relay messages off-box or specifying an IP and port in a log local statement. The difference here is how each functions. If you specify an IP and port in a log local statement, or modify Syslog-ng, all Syslog traffic must flow from the data plane, to the management plane where the Syslog service lives, and then out. HSL traffic stays in the data plane, so there's no potential management plane bottleneck or performance hit.
I would imagine that local Syslog will always be faster, but HSL would be faster than remote Syslog.
i have some queries regrading syslog:
* difference between simple syslog forwarding and HSL.
* if configure syslog then which plane will be responsible i mean data plane or management plane in both cases.
Harry, as noted earlier, the primary difference is relative to sending traffic off-box. If you're going to generate a lot of logs, those logs will take up space on the local disk so always best to send them off-box. If you configure Syslog-ng to send off-box, your log messages still have to go to the management plane before exiting the box. If you use HSL, log messages egress directly from the data plane (thus are much faster).
Thanks Kevin for prompt reply. actually there are 700-800 VS and customer wants to forward all logs to remote syslog. he has concern if managment plane or interface will send the log then it will utilize more hardware in terms of cpu and memory. it has 10G management but data interface is 40Gig so it is better to send all syslog related traffic via data port only.
also for snmp alerts can it use data interface or management?
As a rule, always use HSL for large amounts of logging.
@Harry, if you want to send HTTP / HTTPS logs, you can use request logging profile instead of HSL::send commands.
you mean to say ,i should configure logging profile in ASM policy? then can we configure destination here?
No, LTM request logging profile
Local Traffic ›› Profiles : Other : Request Logging
look at this thread when you have both HSL irule and request logging profile configurations
One more question in a similar problem :)
I've been using HSL irule to log http request/response data and I'm just trying to switch to using request-logging profile instead.
One problem I noticed that while using an irule I can reference a hsl profile which can log to a syslog server via the management interface.. And when using an request-logging profile I have to reference a syslog pool, so it has to be available via a self-ip. Is this right?
Is there any way to use request-logging profile and log to a syslog server available via the mgmt interface?