Forum Discussion
DennisJann
Mar 08, 2019Nimbostratus
I had a similar requirement and came across this answer to use High-Speed Logging:
I wound up creating three pools (e.g., syslog_514_pool1, syslog_514_pool2, syslog_514_pool3), each containing a single syslog server.
Then created the following iRule to duplicate the traffic.
ltm rule syslog_message_duplication_rule {
when CLIENT_ACCEPTED {
set syslog_pool1 [HSL::open -proto UDP -pool syslog_514_pool1]
set syslog_pool2 [HSL::open -proto UDP -pool syslog_514_pool2]
set syslog_pool3 [HSL::open -proto UDP -pool syslog_514_pool3]
}
when CLIENT_DATA {
HSL::send $syslog_pool1 [UDP::payload]
HSL::send $syslog_pool2 [UDP::payload]
HSL::send $syslog_pool3 [UDP::payload]
}
}
Apply the iRule to your port 514 UDP VIP.
ltm virtual vs_syslog_514 {
destination 10.1.2.3:514
ip-protocol udp
mask 255.255.255.255
profiles {
udp { }
}
rules {
syslog_message_duplication_rule
}
source 0.0.0.0/0
translate-address enabled
translate-port enabled
}
We've been using the above configuration in production for about 6 months and the team that manages syslog services has been satisfied with the solution.
Alternately, you could take a look at this iApp:
https://devcentral.f5.com/codeshare/udp-tcp-packet-duplication