While the main fix for this may be on the F5 side, I wanted to try here in case someone has been in this exact situation.
I’m also wondering if there is something I can do in the nginx config to help.
I have a graylog cluster:
1 x LB using nginx for the LB
3 x Graylog
3 x Elasticsearch
The single main thing we are logging from is our F5 BigIP device, which is logging from many modules.
The main thing that is logging is the ASM (Application Security) module.
The issue is not new, but has not really been that much of an issue in the past.
Logging to my graylog cluster from ASM ends getting pinned to a single graylog server.
This is an issue, especially when log traffic spikes, and/or more processing power is needed.
I believe this is due to the fact that the F5 is trying to use a single connection as much as possible which interferes with the load balancing efforts on our graylog LB.
Here is what our LB config looks like:
#this config works for asm logs
upstream asmlogs {
server graylog01:1515;
server graylog02:1515;
server graylog03:1515;
}
server {
listen 10.x.x.xxx:1515;
proxy_pass asmlogs;
#proxy_responses: 1;
#…
}
Thanks for the help!