Replacing Stealthwatch Flow Replicator with LTM

Question

Currently we have a Stealthwatch UDP Flow Replicator in our environment that we use to collect Netflow and Syslog UDP datagrams and send to various collection points.  In the case of Syslog, we collect over port 514 and 516 and perform port translation to another port (i.e. 10524) where an instance of of RSYSLOG organizes data according to what port it is collected over.&nbsp;
My question is how can we replace the Flow Replicator with a LTM?  I figure this will involve iRules, but since I'm relatively green to how to set this up, I felt I should reach out.&nbsp;
I will attempt to illustrate our network setup and the flow of our data that we wish to achieve.&nbsp;
&nbsp;

brian_25776 · Answer

&nbsp;
Adding this because I was unable to post to the OP.&nbsp;

patrik_jonsson · Answer

I believe a clone pool could be an alternative here providing that you don't want all servers to receive the message.&nbsp;
/Patrik&nbsp;

brian_25776 · Answer

Will the LTM be able to receive UDP traffic over port 514 and translate the port to 10514 while preserving the originating IP address?  I imagine that an iRule will be required for this process.&nbsp;

patrik_jonsson · Answer

Hi  Brian&nbsp;
As long as you have port translation enabled on the virtual server (enabled by default) don't use a SNAT it should work fine.&nbsp;
/Patrik&nbsp;

Forum Discussion

Replacing Stealthwatch Flow Replicator with LTM

4 Replies

Recent Discussions

vulnerabilities (CVE-2020-36363), CVE-2016-0736,CVE-2019-6593-FOR VERSION BIGIP LTM-16.1.4

Chrome V 124+ on MacOS - Virtual Server Access Issue

Port Group on F5OS network setting

Advise on setting up IRULE

F5 iRule to replace host to path

Related Content

Adaptive Apps: Replicate & deploy WAF application security policies across F5's security portfolio

ADFS Proxy Replacement on F5 BIG-IP

Weblogic JSessionID Persistence for Session Replication

string first replacement procedure for ID999881

WAF profile replicate