Duplicate syslog traffic to multiple destinations

Hi Adam,

 

 

If you search the forums for "clone" you can see this question has been brought up a few times. So there is definitely demand for this type of functionality. Unfortunately, it's not possible to duplicate traffic like that. But I do think it's a good idea to open a case with F5 Support and ask to have an RFE created (or if one already exists, to add yours to it).

 

 

Aaron

The origin IP's could be inserted into the syslog messages if that's a possibility for you.

 

Another possibility: log the messages directly to your servers, then discard:

 
 when RULE_INIT { 
 Define Syslog Destinations 
 set static::ls "10.10.20.49 10.10.20.247" 
 } 
 when CLIENT_ACCEPTED { 
 foreach logserver $static::ls { 
 log $logserver local0.info "[IP::client_addr] syslog message: [UDP::payload]" 
 } 
 discard 
 } 
 

Untested and not very scalable, just brainstorming here. HTH...Jason

This solution would be enough to get us over the initial hump. However as you say, if we migrated all our systems to this solution for consistency, we would run into scale issues.

 

 

I have logged a case for an RFE, and will now wait to hear something back.

To follow up for anyone searching later. The development team have stated that they do not intend to add such a feature.

 

There was a nice suggestion to put all the syslog servers on one subnet and use loopback address as the clone target - if you want to put all the eggs in one basket.

Thanks for the info. Out of curiosity, did they explain why they wouldn't/couldn't support the duplication of traffic to multiple destinations?

 

 

Also, how would the loopback IP send traffic to multiple syslog servers on the same destination? Would that just use the local syslog-ng daemon to send the messages?

 

 

Thanks,

 

Aaron

There was no explination given as to why there is no intention to add the feature. The suggestion is as follows

 

 

configure the original syslog server IP address (as provided by clients) on loopback interface of all syslog servers (assuming their OS allows that - pretty much all Unix based systems do). This allows syslog servers to accept packets for that address regardless of their "real" address in the local IP subnet (which is what BIG-IP uses to get the corresponding MAC). This scheme can be further extended into a fake-anycast solution in which all syslog servers have one well known universal syslog server address configured on loopback and all devices (regardless of actual network location use it). Delivery of messages is then facilitated by BIG-IP or router in the local IP subnet which must have a route for the "universal syslog server address" via the real address of the nearest (or designated) syslog server. If the customer uses any dynamic routing protocol, the scheme can be further automated by the syslog servers injecting the "universal syslog server address" into the routing protocol which allows to avoid the need to configure static routes.

 

 

I interpret this as a number of possible solutions to syslogging in general

 

- Place all syslog servers on the same subnet, with 'syslog IP' on the loopback of all boxes and use clone pool to duplicate to each server via their real address

 

- Have multiple syslog servers in different network segments and use an anycast solution so that all systems log to their nearest syslog server.

 

 

However, neither of these solutions comes close to multiple servers in different physical and network locations each wanting to receive a copy of all syslog traffic from all systems for redundancy.

 

 

There is a build option for syslog-ng where it can relay the traffic and spoof the original source (--enable-spoof-source). I'll probably have a look at that instead.

I think your idea of proxying the syslog messages with syslog-ng might be easiest...

 

 

Aaron

Take a look at the following iApp http://devcentral.f5.com/wiki/iApp.UDP-Packet-Duplication.ashx