Page 1 of 1
Using a cluster IP
Posted: Mon Jan 19, 2015 11:21 am
by BanditBBS
So, we created a cluster IP on a load balancer that is just round robin to the two nagios log servers. Here is the issue, since everything is sending to the load balancer and it fwds the packet, everything being logged in NLS is showing from the load balancer and not the actual machine sending information.
Code: Select all
{
"_index": "logstash-2015.01.19",
"_type": "eventlog",
"_id": "tm9nernCRM2ZrF78mePwtA",
"_score": null,
"_source": {
"EventTime": "2015-01-19 10:15:01",
"Hostname": "USCHLTW7-012178",
"SeverityValue": 2,
"Severity": "INFO",
"SourceName": "nxlog-ce",
"ProcessID": 12212,
"EventReceivedTime": "2015-01-19 10:15:01",
"SourceModuleName": "internal",
"SourceModuleType": "im_internal",
"message": "reconnecting in 1 seconds",
"@version": "1",
"@timestamp": "2015-01-19T16:15:03.794Z",
"host": "10.160.1.10",
"type": "eventlog"
},
"sort": [
1421684103794,
1421684103794
]
}
HOST is the load balancer IP but the Hostname is showing my laptop's hostname. How is everyone else handling this that is using a load balancer?
Re: Using a cluster IP
Posted: Mon Jan 19, 2015 11:27 am
by tmcdonald
Re: Using a cluster IP
Posted: Mon Jan 19, 2015 11:30 am
by eloyd
Yup. Filter. Change it to hostname or logsource if you're keen on that one.
Re: Using a cluster IP
Posted: Mon Jan 19, 2015 11:39 am
by tmcdonald
This will of course only work if the original log contained that Hostname field.
Re: Using a cluster IP
Posted: Tue Jan 20, 2015 8:22 pm
by krobertson71
Windows Events do contain the Hostname field. Linux Syslog events do not, they put the hostname in logsource. I edited the syslog pattern to change it from logsource to Hostname since it did not exist in the syslog event before.
The problem is you are losing the source IP.
This may not be a problem depending on what type of searches and reporting you are planning.
Personally, I changed the syslog pattern so I can have the Hostname field across both so I could create a dashboard that included TOP 10 Hosts, showing HOSTNAME instead of just the IP.
I would actually search elasticsearch information on clustering.
Re: Using a cluster IP
Posted: Wed Jan 21, 2015 3:25 pm
by tmcdonald
That would actually be more of a Logstash issue since that's the first link in the chain from sending a log to seeing it in the interface.
Really, there should be a way to configure the load balancer so it retains as much of the original message as it can. It should act as a transparent proxy, or at the very least provide the original IP somewhere when it passes along the logs.
Re: Using a cluster IP
Posted: Wed Jan 21, 2015 3:43 pm
by BanditBBS
tmcdonald wrote:That would actually be more of a Logstash issue since that's the first link in the chain from sending a log to seeing it in the interface.
Really, there should be a way to configure the load balancer so it retains as much of the original message as it can. It should act as a transparent proxy, or at the very least provide the original IP somewhere when it passes along the logs.
This is gonna hurt...but...You're right Trevor.
I was informed by our network team they can either exempt traffic from being natted or add a field to the packets with the original IP and name it whatever I want.
Re: Using a cluster IP
Posted: Wed Jan 21, 2015 3:47 pm
by eloyd
Go with option 2 and name it "IWillNeverDrinkJackAndCokeAgain"
Re: Using a cluster IP
Posted: Wed Jan 21, 2015 4:53 pm
by tmcdonald
Shall I lock this up and let it slowly fade from our memories and not become my shirt for next year?
Re: Using a cluster IP
Posted: Wed Jan 21, 2015 4:57 pm
by BanditBBS
tmcdonald wrote:Shall I lock this up and let it slowly fade from our memories and not become my shirt for next year?
HA! Lock it up, I got what was needed from this...thanks