[syslog-ng] Load Balancing question

Nik Ambrosch nik at ambrosch.com
Mon Jan 13 01:19:03 UTC 2020 

Since the F5 doesn't have a syslog profile (like it does an http profile)
then it can't load balance messages.. so you're stuck with the
client->server tcp session stickiness that you're observing.

You'll want to configure out pool with least-connection load balancing and
configure your syslog-ng relay to open multiple tcp sessions to your load
balancer using network().

I'm not familiar if there's an easy/elegant way to make a single network
destination open many tcp connections, maybe someone else on the list is.
Off the top of my head, I'd either use UDP transport which is stateless or
several tcp network() destinations pointing to the same IP on your F5.


On Sun, Jan 12, 2020 at 7:50 PM Janczuk, George <George.Janczuk at cba.com.au>
wrote:

> I'm new to syslog-ng, so please excuse my ignorance if this a newbie or
> dumb question (I did do some googling first though - regrettably without
> success).
>
> Where I work we have deployed a syslog-ng OSE cluster (five members)
> fronted by an F5 LTM.
>
> One of our up-stream syslog event sources is a service provider's
> syslog-ng server acting as a relay and passing on all ingested syslog
> events to our cluster (via the F5 LTM VIP).
>
> The up-steam syslog-ng server aggregates events from hundreds of devices,
> and therefore the stream is very busy (i.e. never idle/quiet). Therefore,
> it turns out that the connection from the up-stream relay is NEVER dropped
> and remains in place almost permanently (certainly days at a time).
> Consequently, without any cycling of the connection the connection is bound
> to a single cluster member, and ALL events from the up-stream relay are
> delivered to that single cluster member and are NOT actually load balanced
> (with the remaining four members essentially being idle as the volume from
> the relay greatly eclipses the event volume from other even sources).
>
> I suppose the question is whether:
> a) Can we in some way configure the up-steam syslog-ng relay to cycle the
> outbound connection after some sort of threshold (be that time based - say
> every 15 seconds; or volume based - say every 100 events; or even both... -
> whichever occurs first)?, or
> b) Can the up-stream syslog-ng keep multiple connections open concurrently
> and can it then use round-robin or stochastic logic to determine which of
> the connections to send each relayed event to?
>
> I would very much like to hear from people about how to actually load
> balance an event stream from a syslog-ng relay.
>
> NOTE: People might ask the question: "If the up-stream relay is a single
> node, then why do even need a down-stream cluster, if it's not required
> upstream"? Two reasons really:
> 1. The up-steam service provider has deployed dedicated chunky tin (i.e.
> they've used a vertical scale model), whilst for our syslog-ng cluster
> we're using a private-cloud with much smaller VMs combined with a
> horizontal scale model, and
> 2. The relay is doing a fairly minimal collect and forward, whilst our
> syslog-ng cluster will be doing more event transformation and enrichment,
> which is ultimately more CPU intensive.
>
> ************** IMPORTANT MESSAGE *****************************
> This e-mail message is intended only for the addressee(s) and contains
> information which may be
> confidential.
> If you are not the intended recipient please advise the sender by return
> email, do not use or
> disclose the contents, and delete the message and any attachments from
> your system. Unless
> specifically indicated, this email does not constitute formal advice or
> commitment by the sender
> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and
> Australian credit licence 234945)
> or its subsidiaries.
> We can be contacted through our web site: commbank.com.au.
> If you no longer wish to receive commercial electronic messages from us,
> please reply to this
> e-mail by typing Unsubscribe in the subject line.
> **************************************************************
>
>
> ______________________________________________________________________________
> Member info: https://lists.balabit.hu/mailman/listinfo/syslog-ng
> Documentation:
> http://www.balabit.com/support/documentation/?product=syslog-ng
> FAQ: http://www.balabit.com/wiki/syslog-ng-faq
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.balabit.hu/pipermail/syslog-ng/attachments/20200112/1b42e488/attachment.html>

More information about the syslog-ng mailing list