Using a cluster IP

[BanditBBS]

So, we created a cluster IP on a load balancer that is just round robin to the two nagios log servers. Here is the issue, since everything is sending to the load balancer and it fwds the packet, everything being logged in NLS is showing from the load balancer and not the actual machine sending information.

Code: Select all

{
  "_index": "logstash-2015.01.19",
  "_type": "eventlog",
  "_id": "tm9nernCRM2ZrF78mePwtA",
  "_score": null,
  "_source": {
    "EventTime": "2015-01-19 10:15:01",
    "Hostname": "USCHLTW7-012178",
    "SeverityValue": 2,
    "Severity": "INFO",
    "SourceName": "nxlog-ce",
    "ProcessID": 12212,
    "EventReceivedTime": "2015-01-19 10:15:01",
    "SourceModuleName": "internal",
    "SourceModuleType": "im_internal",
    "message": "reconnecting in 1 seconds",
    "@version": "1",
    "@timestamp": "2015-01-19T16:15:03.794Z",
    "host": "10.160.1.10",
    "type": "eventlog"
  },
  "sort": [
    1421684103794,
    1421684103794
  ]
}

HOST is the load balancer IP but the Hostname is showing my laptop's hostname. How is everyone else handling this that is using a load balancer?

[tmcdonald]

Make a filter to replace host with Hostname?

http://logstash.net/docs/1.4.2/filters/mutate#replace

[eloyd]

Yup. Filter. Change it to hostname or logsource if you're keen on that one.

[tmcdonald]

This will of course only work if the original log contained that Hostname field.

[krobertson71]

Windows Events do contain the Hostname field. Linux Syslog events do not, they put the hostname in logsource. I edited the syslog pattern to change it from logsource to Hostname since it did not exist in the syslog event before.

The problem is you are losing the source IP.

This may not be a problem depending on what type of searches and reporting you are planning.

Personally, I changed the syslog pattern so I can have the Hostname field across both so I could create a dashboard that included TOP 10 Hosts, showing HOSTNAME instead of just the IP.

I would actually search elasticsearch information on clustering.

[tmcdonald]

That would actually be more of a Logstash issue since that's the first link in the chain from sending a log to seeing it in the interface.

Really, there should be a way to configure the load balancer so it retains as much of the original message as it can. It should act as a transparent proxy, or at the very least provide the original IP somewhere when it passes along the logs.

[BanditBBS]

That would actually be more of a Logstash issue since that's the first link in the chain from sending a log to seeing it in the interface.

Really, there should be a way to configure the load balancer so it retains as much of the original message as it can. It should act as a transparent proxy, or at the very least provide the original IP somewhere when it passes along the logs.

This is gonna hurt...but...You're right Trevor.

I was informed by our network team they can either exempt traffic from being natted or add a field to the packets with the original IP and name it whatever I want.

[eloyd]

Go with option 2 and name it "IWillNeverDrinkJackAndCokeAgain"

[tmcdonald]

Shall I lock this up and let it slowly fade from our memories and not become my shirt for next year?

[BanditBBS]

Shall I lock this up and let it slowly fade from our memories and not become my shirt for next year?

HA! Lock it up, I got what was needed from this...thanks