Hello Does anyone have any experience of syslog-ng behind F5 load balancer and preserving source IP address? The F5 can put the X-Forwarding header or TCP Options value but I don't believe syslog-ng can understand either of these - Am I wrong? If I am then I am assuming I can have a filter that overwrites $HOST with the value of X-Forwarding or TCP Options. Any help appreciated. Thanks Peter.
X-Forwarded-For is an http header, so not applicable to syslog-ng. If there's indeed a tcp option that would be doable, do you have a documentation about that? Also, f5 would not really do load balancing as it assumes that there are many, short lived connections, whereas syslog is a long term connection. All an f5 is doing is monitoring the nodes and react if one of them fails. On Thu, Aug 6, 2020, 17:21 Peter Griggs <peter@petergriggs.co.uk> wrote:
Hello
Does anyone have any experience of syslog-ng behind F5 load balancer and preserving source IP address? The F5 can put the X-Forwarding header or TCP Options value but I don't believe syslog-ng can understand either of these - Am I wrong? If I am then I am assuming I can have a filter that overwrites $HOST with the value of X-Forwarding or TCP Options.
Any help appreciated.
Thanks
Peter.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
I mean if any of the cluster node fails. So it provides HA, but not actual load balancing. On Thu, Aug 6, 2020, 21:28 Balazs Scheidler <bazsi77@gmail.com> wrote:
X-Forwarded-For is an http header, so not applicable to syslog-ng.
If there's indeed a tcp option that would be doable, do you have a documentation about that?
Also, f5 would not really do load balancing as it assumes that there are many, short lived connections, whereas syslog is a long term connection.
All an f5 is doing is monitoring the nodes and react if one of them fails.
On Thu, Aug 6, 2020, 17:21 Peter Griggs <peter@petergriggs.co.uk> wrote:
Hello
Does anyone have any experience of syslog-ng behind F5 load balancer and preserving source IP address? The F5 can put the X-Forwarding header or TCP Options value but I don't believe syslog-ng can understand either of these - Am I wrong? If I am then I am assuming I can have a filter that overwrites $HOST with the value of X-Forwarding or TCP Options.
Any help appreciated.
Thanks
Peter.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
It seems f5 (and akamai) can send the ip address as IP option 28 by overloading its meaning. This could be added to syslog-ng as well. On Thu, Aug 6, 2020, 21:28 Balazs Scheidler <bazsi77@gmail.com> wrote:
X-Forwarded-For is an http header, so not applicable to syslog-ng.
If there's indeed a tcp option that would be doable, do you have a documentation about that?
Also, f5 would not really do load balancing as it assumes that there are many, short lived connections, whereas syslog is a long term connection.
All an f5 is doing is monitoring the nodes and react if one of them fails.
On Thu, Aug 6, 2020, 17:21 Peter Griggs <peter@petergriggs.co.uk> wrote:
Hello
Does anyone have any experience of syslog-ng behind F5 load balancer and preserving source IP address? The F5 can put the X-Forwarding header or TCP Options value but I don't believe syslog-ng can understand either of these - Am I wrong? If I am then I am assuming I can have a filter that overwrites $HOST with the value of X-Forwarding or TCP Options.
Any help appreciated.
Thanks
Peter.
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
Do you have any config for syslog-ng for extracting this? Thanks Peter Get Outlook for Android<https://aka.ms/ghei36>
not at this point, this needs code additions to syslog-ng, that's what I meant "added to syslog-ng". On Fri, Aug 7, 2020 at 1:23 AM Peter Griggs <peter@petergriggs.co.uk> wrote:
Do you have any config for syslog-ng for extracting this?
Thanks Peter
Get Outlook for Android <https://aka.ms/ghei36>
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
-- Bazsi
Right I am with you – sorry been a long couple of days. What’s best way about getting this raised? Whack an issue up on GitHub? From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: 07 August 2020 07:14 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Sylog-ng and F5 Load balancer. not at this point, this needs code additions to syslog-ng, that's what I meant "added to syslog-ng". On Fri, Aug 7, 2020 at 1:23 AM Peter Griggs <peter@petergriggs.co.uk<mailto:peter@petergriggs.co.uk>> wrote: Do you have any config for syslog-ng for extracting this? Thanks Peter Get Outlook for Android<https://aka.ms/ghei36> ______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq -- Bazsi
Hi Peter, Yes, opening a new issue on GitHub may be the best course of action. So to summarize the alternatives: * X-Forwarder-For is not feasible, because it's a HTTP header element, and given that syslog traffic is non-HTTP, it's simply not applicable * TCP option 28 (as it turned out it's not of the IP protocol, but TCP) - an enhancement request should be opened for the syslog-ng project And finally an additional alternative solution that wouldn't require any code change on syslog-ng side: AFAIK the F5 LBs should be able to do NAT so that the original sender's IP would be added as the source address for the forwarded traffic. It is possible that that would require some routing changes on the network side, but it would be a viable way to preserve the source addresses of forwarded traffic in a way that syslog-ng would be able to use it. Best Regards, János Szigetvári -- Janos SZIGETVARI RHCE, License no. 150-053-692 LinkedIn: linkedin.com/in/janosszigetvari __@__˚V˚ Make the switch to open (source) applications, protocols, formats now: - windows -> Linux, iexplore -> Firefox, msoffice -> LibreOffice - msn -> jabber protocol (Pidgin, Google Talk) - mp3 -> ogg, wmv -> ogg, jpg -> png, doc/xls/ppt -> odt/ods/odp Peter Griggs <peter@petergriggs.co.uk> ezt írta (időpont: 2020. aug. 7., P, 9:41):
Right I am with you – sorry been a long couple of days.
What’s best way about getting this raised? Whack an issue up on GitHub?
From: syslog-ng [mailto:syslog-ng-bounces@lists.balabit.hu] On Behalf Of Balazs Scheidler Sent: 07 August 2020 07:14 To: Syslog-ng users' and developers' mailing list <syslog-ng@lists.balabit.hu> Subject: Re: [syslog-ng] Sylog-ng and F5 Load balancer.
not at this point, this needs code additions to syslog-ng, that's what I meant "added to syslog-ng".
On Fri, Aug 7, 2020 at 1:23 AM Peter Griggs <peter@petergriggs.co.uk> wrote:
Do you have any config for syslog-ng for extracting this?
Thanks
Peter
Get Outlook for Android
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
--
Bazsi
______________________________________________________________________________ Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng Documentation: http://www.balabit.com/support/documentation/?product=syslog-ng FAQ: http://www.balabit.com/wiki/syslog-ng-faq
participants (3)
-
Balazs Scheidler
-
Peter Griggs
-
SZIGETVÁRI János