need help for splunk

Question

Hi Team,&nbsp;
Currently we are facing some issues regarding the following scenario.&nbsp;
Customer has given the requirement as follows:&nbsp;
9 VIPs to be created to load balance syslog traffic (UDP 514). The pool members are listening on UDP and TCP. UDP will be used to receive syslog traffic, and TCP will be used for the load balancer to monitor the pool member. In the event a pool member stops responding on the appropriate TCP port that pool member must be marked down.&nbsp;
example of one vip:&nbsp;
VIP1
Name: VS_abcd_ids_udp514
Address: w.x.y.z
Mask: 255.255.255.255
Service Port: UDP 514
SNAT Pool: None
Profile: UDP&nbsp;
Pool
Name: Pool_abcd_ids_2514
Member1: w.x.y.z:2514
Member2: w.x.y.z:2514&nbsp;
Monitor
TCP 2514
After implementation we observed as foolws:&nbsp;
At first we observed as follows:
Response on splunk server user was seeing as it is coming from F5 self ips. The message is something like this F5 "self ip:default send string". After another test requestor told he is not seeing the message.However he wants to see 2 things on his splunk server.&nbsp;
1.The source ips from where the logs are coming
2.He wants to see the real pool member ips instead of load balancer self ips.&nbsp;
I did not get time to capture the traffic. But worrying why requestor did not see the same message ""self ip:default send string" twice?&nbsp;
Why the self ips are showing on splunk server instead virtual server ips at least?&nbsp;
The health monitor i put as UDP instead of TCP since TCP requires a string and user was not sure what to share for same..Although UDP seems ok since servers were showing up....Let me know any consideration here pls.&nbsp;
How can I make the configurations so users can see the source ips from where the logs are coming and also the pool members on splunk..&nbsp;
Can anyone please help with this.....Thanks in advance and happy new year............................&nbsp;

boneyard · Answer

i think what you are seeing is the health monitor traffic reaching splunk. if you don't want that you might be find with a simple TCP monitor without sending any data. in this case i don't believe syslog sends a reponse for correct requests so sending anything is not really useful anyway.&nbsp;
did you see anything then "self ip:default send string" on splunk? because in that case your virtual server / pool might not be correctly setup or traffic might be unable to reach your splunk servers.&nbsp;

santavi_241428 · Answer

may be my previous question was big and and confusing...The requirement is like this:&nbsp;
there will be many different devices, will communicate to the load balancer on device-specific VIPs. Please go through the attached diagram for better understandingThe log message on splunk must retain the client source IP from where the logs are coming instead of virtual ips of load balancers.Disabling snat did not solve the purpose. 
Can anybody help please?&nbsp;
&nbsp;

Forum Discussion

need help for splunk

2 Replies

Recent Discussions

Pricing when used with aws waf

F5 Rseries R2600 Tenant sizing

iRule help masking IBM host URL/URI

Need advise to setup a policy on F5

Advise on setting up IRULE

Related Content

Setting up F5 Telemetry Streaming with Splunk Cloud

How I did it - "Visualizing Data with F5 TS and Splunk"

Splunk syslog loadbalancing

Getting Started with Splunk for F5

Need iRule for logging all LDAPS requests to HSL Splunk