Forum Discussion

jitu's avatar
jitu
Icon for Nimbostratus rankNimbostratus
Jul 17, 2017

Syslog traffic need to send ArcSight ESM as clone pool (Duplicate), Source IP is not preserve when sending duplicate syslog message to Arcsight

Hi, We have configured Syslog VIP for both UDP and TCP port, there are 2 Backend syslog Servers and configuration is perfectly working in Syslog VIP, we have disable SNAT so that Syslog servers can see the original client IP. Now when there is a requirement came for duplicate the syslog messages to ArcSight ESM and we have setup the Arcsight IP as a clone pool and apply a irule to clone the syslog traffic to arcsight console , the irule is working fine but problem we are facing on preserving the original Client IP in syslog message when it is reached the Arcsight console, we are seeing the logs all are sourced by F5 interface IP and Arcsight is not able to do reverse Engineering to find out the original source. But we are seeing the source IP in Syslog servers.

 

Any idea or help will be greatly appreciated.

 

Thanks,

 

application delivery
iRules
LTM

1 Reply

Sort By
  • Jason_Adams's avatar
    Jason_Adams
    Icon for Employee rankEmployee
    Jul 17, 2017

    Thanks to hoolio (here), we were able to use the following iRule to achieve the desired functionality through the use of Sideband Connections:

    when CLIENT_ACCEPTED {
    set clientaddr [IP::client_addr]

      
    if { ([class match $clientaddr equals log_clone_address_list_updated]) } {

         Open a sideband connection with the clone syslog pool
        if {[catch { connect -protocol UDP -myaddr $clientaddr 10.220.20.14:514 } conn_id ] == 0 && $conn_id ne ""} {

             Save UDP Payload data to send
            set data "[UDP::payload]"

             Send the data with a 2ms timeout on the connection identifier received from the connect command
            set send_bytes [send -timeout 5 -status send_status $conn_id $data]

             Log the number of bytes sent and the send status
            log local0. "Sent $send_bytes with status $send_status"
        }
    }
    else {
         log local0. "$clientaddr: log data NOT cloned"
    }
}