[syslog-ng] Load Balancing question

Peter Kokai (pkokai) Peter.Kokai at oneidentity.com
Mon Jan 13 06:24:43 UTC 2020


Hello,

The current way is exactly creating N network destination and do the routing in syslog-ng configuration (which it is really capable).
There is also a configuration option that could generate such layout for you - but probably you have to adjust it to your liking.

The *network-load-balancer* is capable of generating as such.
```
destination { network-load-balancer(targets(127.0.0.1 127.0.0.2 127.0.0.3) port(1111));  };
```

This is going to generate the following configuration snippet:

```
destination {
channel {
  channel {
    filter {
    "0" == "$(% ${R_MSEC} 3)"
    };
    destination {
      network("127.0.0.1" port(1111)      );
    };
    flags(final);
  };
  channel {
    filter {
    "1" == "$(% ${R_MSEC} 3)"
    };
    destination {
      network("127.0.0.2" port(1111)      );
    };
    flags(final);
  };
  channel {
    filter {
    "2" == "$(% ${R_MSEC} 3)"
    };
    destination {
      network("127.0.0.3" port(1111)      );
    };
    flags(final);
  };
};
};
```

You could start to build uppon this idea. 


--
Kokan

On Sun, Jan 12, 2020 at 08:19:03PM -0500, Nik Ambrosch wrote:
> CAUTION: This email originated from outside of the organization. Do not follow guidance, click links, or open attachments unless you recognize the sender and know the content is safe.
> 
> Since the F5 doesn't have a syslog profile (like it does an http profile) then it can't load balance messages.. so you're stuck with the client->server tcp session stickiness that you're observing.
> 
> You'll want to configure out pool with least-connection load balancing and configure your syslog-ng relay to open multiple tcp sessions to your load balancer using network().
> 
> I'm not familiar if there's an easy/elegant way to make a single network destination open many tcp connections, maybe someone else on the list is.  Off the top of my head, I'd either use UDP transport which is stateless or several tcp network() destinations pointing to the same IP on your F5.
> 
> 
> On Sun, Jan 12, 2020 at 7:50 PM Janczuk, George <George.Janczuk at cba.com.au<mailto:George.Janczuk at cba.com.au>> wrote:
> I'm new to syslog-ng, so please excuse my ignorance if this a newbie or dumb question (I did do some googling first though - regrettably without success).
> 
> Where I work we have deployed a syslog-ng OSE cluster (five members) fronted by an F5 LTM.
> 
> One of our up-stream syslog event sources is a service provider's syslog-ng server acting as a relay and passing on all ingested syslog events to our cluster (via the F5 LTM VIP).
> 
> The up-steam syslog-ng server aggregates events from hundreds of devices, and therefore the stream is very busy (i.e. never idle/quiet). Therefore, it turns out that the connection from the up-stream relay is NEVER dropped and remains in place almost permanently (certainly days at a time). Consequently, without any cycling of the connection the connection is bound to a single cluster member, and ALL events from the up-stream relay are delivered to that single cluster member and are NOT actually load balanced (with the remaining four members essentially being idle as the volume from the relay greatly eclipses the event volume from other even sources).
> 
> I suppose the question is whether:
> a) Can we in some way configure the up-steam syslog-ng relay to cycle the outbound connection after some sort of threshold (be that time based - say every 15 seconds; or volume based - say every 100 events; or even both... - whichever occurs first)?, or
> b) Can the up-stream syslog-ng keep multiple connections open concurrently and can it then use round-robin or stochastic logic to determine which of the connections to send each relayed event to?
> 
> I would very much like to hear from people about how to actually load balance an event stream from a syslog-ng relay.
> 
> NOTE: People might ask the question: "If the up-stream relay is a single node, then why do even need a down-stream cluster, if it's not required upstream"? Two reasons really:
> 1. The up-steam service provider has deployed dedicated chunky tin (i.e. they've used a vertical scale model), whilst for our syslog-ng cluster we're using a private-cloud with much smaller VMs combined with a horizontal scale model, and
> 2. The relay is doing a fairly minimal collect and forward, whilst our syslog-ng cluster will be doing more event transformation and enrichment, which is ultimately more CPU intensive.
> 
> ************** IMPORTANT MESSAGE *****************************
> This e-mail message is intended only for the addressee(s) and contains information which may be
> confidential.
> If you are not the intended recipient please advise the sender by return email, do not use or
> disclose the contents, and delete the message and any attachments from your system. Unless
> specifically indicated, this email does not constitute formal advice or commitment by the sender
> or the Commonwealth Bank of Australia (ABN 48 123 123 124 AFSL and Australian credit licence 234945)
> or its subsidiaries.
> We can be contacted through our web site: commbank.com.au<https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcommbank.com.au&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C0a45375cf76f41a4b45a08d797c69ce4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637144751637916595&sdata=SVVJropQyJPihBCC3ZjIzzI%2FxK8BeyJ8G4wKPpce72s%3D&reserved=0>.
> If you no longer wish to receive commercial electronic messages from us, please reply to this
> e-mail by typing Unsubscribe in the subject line.
> **************************************************************
> 
> ______________________________________________________________________________
> Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C0a45375cf76f41a4b45a08d797c69ce4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637144751637926589&sdata=nz1V20B9qhXh2cwHXYIYt%2B1ERmen55a%2F7ClvU9WAv1Y%3D&reserved=0
> Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C0a45375cf76f41a4b45a08d797c69ce4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637144751637926589&sdata=HeSp5oNyxZ8tR4fs9dYfjtuB9q9usWGfTVOB327BtDE%3D&reserved=0
> FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C0a45375cf76f41a4b45a08d797c69ce4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637144751637926589&sdata=dZ2HOLx%2Bd1fozWJbVJ6a8MCUXW5MJkUaUFZuhVjtXqE%3D&reserved=0
> 

> ______________________________________________________________________________
> Member info: https://nam05.safelinks.protection.outlook.com/?url=https%3A%2F%2Flists.balabit.hu%2Fmailman%2Flistinfo%2Fsyslog-ng&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C0a45375cf76f41a4b45a08d797c69ce4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637144751637996550&sdata=oQpE0k%2BY9NbFlebcsRsQWFYtUgoWJXtTNwLGts4Blgk%3D&reserved=0
> Documentation: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fsupport%2Fdocumentation%2F%3Fproduct%3Dsyslog-ng&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C0a45375cf76f41a4b45a08d797c69ce4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637144751637996550&sdata=GXYwicQk92ebEKLWUw8w2XPzM0QQlNRAfznRBcD9VXY%3D&reserved=0
> FAQ: https://nam05.safelinks.protection.outlook.com/?url=http%3A%2F%2Fwww.balabit.com%2Fwiki%2Fsyslog-ng-faq&data=02%7C01%7CPeter.Kokai%40oneidentity.com%7C0a45375cf76f41a4b45a08d797c69ce4%7C91c369b51c9e439c989c1867ec606603%7C0%7C0%7C637144751637996550&sdata=ovjO8c6MFqFwc8YwXtcgoJNzKIOGZHcJuHec%2B6pcQr0%3D&reserved=0
> 


More information about the syslog-ng mailing list