Log traffic from single module in F5 only going to one server

While the main fix for this may be on the F5 side, I wanted to try here in case someone has been in this exact situation.
I’m also wondering if there is something I can do in the nginx config to help.

I have a graylog cluster:
1 x LB using nginx for the LB
3 x Graylog
3 x Elasticsearch

The single main thing we are logging from is our F5 BigIP device, which is logging from many modules.

The main thing that is logging is the ASM (Application Security) module.

The issue is not new, but has not really been that much of an issue in the past.

Logging to my graylog cluster from ASM ends getting pinned to a single graylog server.
This is an issue, especially when log traffic spikes, and/or more processing power is needed.

I believe this is due to the fact that the F5 is trying to use a single connection as much as possible which interferes with the load balancing efforts on our graylog LB.

Here is what our LB config looks like:
#this config works for asm logs
upstream asmlogs {
server graylog01:1515;
server graylog02:1515;
server graylog03:1515;
}
server {
listen 10.x.x.xxx:1515;
proxy_pass asmlogs;
#proxy_responses: 1;
#…
}

Thanks for the help!

Just to share where I’m currently looking to move on this.

I’m going to use a high speed logging configuration on the F5 that will include a pool containing all 3 graylog nodes to that the F5 can actively and intelligently balance the logging traffic itself.

This will just take a bit to set up.

Over TCP a normal loadbalancer can check only the TCP stream, not the data in the stream, so it is normal.
If the data not so-so important, you can use UDP, in this case you will different streams, for different packages.

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.