{"id":4095,"date":"2022-08-25T11:13:07","date_gmt":"2022-08-25T15:13:07","guid":{"rendered":"https:\/\/infotechguy.net\/?p=4095"},"modified":"2025-02-22T11:26:46","modified_gmt":"2025-02-22T16:26:46","slug":"f5-irule-hsl-syslog-cloning-irule","status":"publish","type":"post","link":"https:\/\/infotechguy.net\/?p=4095","title":{"rendered":"F5 iRule &#8212; Syslog Cloning iRule with HSL or Sideband"},"content":{"rendered":"<h4><strong>HSL_syslog_cloning<\/strong><\/h4>\n<p>First lets create two(2) pools with a single node in each. These will be used in our iRule to clone the UDP datagram to both.<\/p>\n<p><em><strong>pool_SyslogServer001<\/strong><\/em><\/p>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2022\/08\/pool_syslogserver001-1.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4099\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2022\/08\/pool_syslogserver001-1.png\" alt=\"\" width=\"771\" height=\"635\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2022\/08\/pool_syslogserver001-1.png 771w, https:\/\/infotechguy.net\/wp-content\/uploads\/2022\/08\/pool_syslogserver001-1-300x247.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2022\/08\/pool_syslogserver001-1-768x633.png 768w\" sizes=\"auto, (max-width: 771px) 100vw, 771px\" \/><\/a><\/p>\n<p><em><strong>pool_SyslogServer001<\/strong><\/em><\/p>\n<p><a href=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2022\/08\/pool_syslogserver002.png\"><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-4100\" src=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2022\/08\/pool_syslogserver002.png\" alt=\"\" width=\"773\" height=\"638\" srcset=\"https:\/\/infotechguy.net\/wp-content\/uploads\/2022\/08\/pool_syslogserver002.png 773w, https:\/\/infotechguy.net\/wp-content\/uploads\/2022\/08\/pool_syslogserver002-300x248.png 300w, https:\/\/infotechguy.net\/wp-content\/uploads\/2022\/08\/pool_syslogserver002-768x634.png 768w\" sizes=\"auto, (max-width: 773px) 100vw, 773px\" \/><\/a><\/p>\n<p>Now that we created the two(2) pools with single nodes in each, we can craft the irule to utilize HighSpeedLogging(HSL) in an iRule and tie it alltogether.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">when CLIENT_ACCEPTED {\r\n    set syslog_pool1 [HSL::open -proto UDP -pool pool_SyslogServer001] \r\n    set syslog_pool2 [HSL::open -proto UDP -pool pool_SyslogServer002] \r\n}\r\nwhen CLIENT_DATA {\r\n  HSL::send $syslog_pool1 [UDP::payload]\r\n  HSL::send $syslog_pool2 [UDP::payload] \r\n\r\n}\r\n<\/pre>\n<table style=\"height: 17px; width: 775px; border-collapse: collapse;\">\n<tbody>\n<tr style=\"height: 37px;\">\n<td style=\"width: 50%; text-align: center; height: 37px;\"><strong>Pros<\/strong><\/td>\n<td style=\"width: 50%; text-align: center; height: 37px;\"><strong>Cons<\/strong><\/td>\n<\/tr>\n<tr style=\"height: 120px;\">\n<td style=\"width: 50%; height: 120px;\">\n<ul>\n<li>Very Simple, Roughly only 4 lines of code!!<\/li>\n<li>Utilizes F5 <a href=\"https:\/\/clouddocs.f5.com\/api\/irules\/HSL.html\">HSL which is designed for logging at highspeeds<\/a><\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 50%; height: 120px;\">\n<ul>\n<li>Each HSL send destination requires a unique pool with one node in it.<\/li>\n<li>Cannot change source address (has to be self IP F5 LTM)<\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<hr \/>\n<h4><strong>SIDEBAND_syslog_cloning<\/strong><\/h4>\n<p>Now a different approach is to use iRule sideband method. Sideband was introduced in TMOS-LTMv11.0.0 so it will be needed for the SIDEBAND method to be available for use. It pretty much opens a TCP or UDP connection when the iRule get triggered.<\/p>\n<pre class=\"EnlighterJSRAW\" data-enlighter-language=\"generic\">when CLIENT_ACCEPTED {\r\n\r\n  # grab UDP payload\r\n  set data [UDP::payload]\r\n  \r\n  # create connection objects to both servers\r\n  set conn_id1 [connect -protocol UDP -myaddr 1.1.1.1 -timeout 100 -idle 30 10.10.10.1:514]\r\n  set conn_id2 [connect -protocol UDP -myaddr 1.1.1.1 -timeout 100 -idle 30 10.10.10.2:514]\r\n  \r\n  # send sideband request to server1\r\n  send -timeout 1000 $conn_id1 $data\r\n  close $conn_id1\r\n  # send sideband request to server1\r\n  send -timeout 1000 $conn_id2 $data\r\n  close $conn_id2\r\n}<\/pre>\n<table style=\"height: 170px; width: 775px; border-collapse: collapse;\">\n<tbody>\n<tr>\n<td style=\"width: 50%; text-align: center;\"><strong>Pros<\/strong><\/td>\n<td style=\"width: 50%; text-align: center;\"><strong>Cons<\/strong><\/td>\n<\/tr>\n<tr>\n<td style=\"width: 50%;\">\n<ul>\n<li>More control, we can change things like source address and timeouts<\/li>\n<li>No pools needed, can craft connection object directly in iRule<\/li>\n<\/ul>\n<\/td>\n<td style=\"width: 50%;\">\n<ul>\n<li>More complex<\/li>\n<li>Does NOT utilizes F5 <a href=\"https:\/\/clouddocs.f5.com\/api\/irules\/HSL.html\">HSL which is designed for logging at highspeeds<\/a><\/li>\n<\/ul>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p><strong>References:<\/strong><\/p>\n<ul>\n<li><a href=\"https:\/\/clouddocs.f5.com\/api\/irules\/HSL__send.html\">https:\/\/clouddocs.f5.com\/api\/irules\/HSL__send.html<\/a><\/li>\n<li><a href=\"https:\/\/clouddocs.f5.com\/api\/irules\/UDP__payload.html\">https:\/\/clouddocs.f5.com\/api\/irules\/UDP__payload.html<\/a><\/li>\n<li><a href=\"https:\/\/clouddocs.f5.com\/api\/irules\/SIDEBAND.html\">https:\/\/clouddocs.f5.com\/api\/irules\/SIDEBAND.html<\/a><\/li>\n<li><a href=\"https:\/\/community.f5.com\/t5\/technical-forum\/udp-packet-duplication-and-send-them-to-2-different-pools\/td-p\/264880\">https:\/\/community.f5.com\/t5\/technical-forum\/udp-packet-duplication-and-send-them-to-2-different-pools\/td-p\/264880<\/a><\/li>\n<li><\/li>\n<\/ul>\n","protected":false},"excerpt":{"rendered":"<p>HSL_syslog_cloning First lets create two(2) pools with a single node in each. These will be used in our iRule to clone the UDP datagram to both. pool_SyslogServer001 pool_SyslogServer001 Now that we created the two(2) pools&#46;&#46;&#46;<\/p>\n","protected":false},"author":2,"featured_media":4241,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[65,82],"class_list":["post-4095","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-f5","tag-f5","tag-irule-2"],"_links":{"self":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/4095","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4095"}],"version-history":[{"count":20,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/4095\/revisions"}],"predecessor-version":[{"id":4118,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/posts\/4095\/revisions\/4118"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=\/wp\/v2\/media\/4241"}],"wp:attachment":[{"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4095"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4095"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/infotechguy.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4095"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}