Providing application owners accProviding application owners accurate logs while using SNAT?urate logs while using SNAT?

Has anyone has come up with a generic way to provide application owners with accurate logs while using SNAT? I'm aware of the X-Forwaded-For header when dealing with HTTP (or SSL-terminated HTTPS), but I'm looking for something that will work for other applications (SMTP, IMAP, LDAP, SSH, etc.). I figure this would require some sort of log correlation tool (homegrown or possibly Splunk) to coordinate log messages from the F5 with those from the application servers. I know the F5 could generate a log message along the lines of:

 

 

"$client_ip:$client_port load balanced to $server_ip:$server_port using $snat_ip:$snat_port"

 

 

But I figure I would then need the application to record the client IP & port it sees (which are actually the $snat_ip & $snat_port set by the F5) to be able to match up log messages. But most applications I've seen only log the client IP & not the port.

 

 

Is there something I haven't thought of here that would make this work? From a networking perspective we would love to be able to SNAT all connections because it keeps our configuration simpler and means only load balanced traffic passes through the F5. But if we can't provide the application owners with accurate logs, we'll have to choose another network design.

 

 

Thanks,

 

Dave C.