Skip to main content

This document provides configuration examples and reference links for setting up third-party load balancers with Cribl Stream syslog deployments. Load balancers are essential for distributing syslog traffic across multiple Cribl Stream Worker Nodes, as syslog senders have no built-in load balancing capabilities.

 

Prerequisites

Before implementing these configurations, ensure you have:

  • Multiple Cribl Stream Worker Nodes deployed
  • Network connectivity between your load balancer and Worker Nodes
  • Understanding of your syslog traffic patterns (UDP vs TCP, volume, etc.)
  • Appropriate firewall rules and security policies in place

For architectural guidance and best practices, see the main Cribl Stream Syslog Use Case Guide.

 

Load Balancer Requirements

When configuring load balancers for syslog with Cribl Stream:

  • For syslog traffic: Can use Application Load Balancer or Network Load Balancer
  • Health checks: Ensure proper health check configuration for Worker Node availability
  • Protocol support: Must support both UDP and TCP as needed for your syslog sources

 

Configuration Examples

 

F5 BIG-IP Example

This configuration creates a UDP virtual server and pool for load balancing syslog traffic across multiple Cribl Stream Workers:

ltm virtual udpsyslog_514_vs { 
destination 10.10.10.10:514 
ip-protocol udp 
mask 255.255.255.255 
pool udpsyslog_514_pool 
profiles { 
    udp { } 
} 
Vlans-disabled 
}

ltm pool udpsyslog_514_pool { 
members { 
    10.10.20.10:514 { 
        address 10.10.20.10 
        session monitor-enabled 
        state up 
    } 
    10.10.20.20:514 { 
        address 10.10.20.20 
        session monitor-enabled 
        state up 
    } 
} 
monitor tcp 
service-down-action reset 
}

Key Configuration Notes:

  • Replace IP addresses with your actual Worker Node IPs
  • Adjust pool members based on your number of Worker Nodes
  • Consider separate configurations for TCP and UDP if both are needed
     

Citrix Netscaler Example

Reference: Load Balancing syslog Servers

This configuration shows Netscaler acting as a load balancer to distribute incoming syslog traffic from various network devices across multiple Cribl Stream Worker Nodes. The configuration creates separate virtual servers for UDP and TCP protocols, ensuring proper load distribution and high availability for syslog ingestion.

This configuration creates separate load balancing virtual servers for UDP and TCP syslog traffic, distributing connections across multiple Cribl Stream Worker Nodes:

# Define services for Cribl Stream Worker Nodes
# UDP Services
add service worker1-udp 192.0.2.10 SYSLOGUDP 514
add service worker2-udp 192.0.2.11 SYSLOGUDP 514
add service worker3-udp 192.0.2.12 SYSLOGUDP 514

# TCP Services
add service worker1-tcp 192.0.2.10 SYSLOGTCP 514
add service worker2-tcp 192.0.2.11 SYSLOGTCP 514
add service worker3-tcp 192.0.2.12 SYSLOGTCP 514

# Create virtual servers for load balancing
add lb vserver syslog-udp-lb SYSLOGUDP 0.0.0.0 514 -lbMethod ROUNDROBIN
add lb vserver syslog-tcp-lb SYSLOGTCP 0.0.0.0 514 -lbMethod ROUNDROBIN

# Bind UDP services to UDP virtual server
bind lb vserver syslog-udp-lb worker1-udp
bind lb vserver syslog-udp-lb worker2-udp
bind lb vserver syslog-udp-lb worker3-udp

# Bind TCP services to TCP virtual server
bind lb vserver syslog-tcp-lb worker1-tcp
bind lb vserver syslog-tcp-lb worker2-tcp
bind lb vserver syslog-tcp-lb worker3-tcp

Key Configuration Notes: 

  • Replace IP addresses (192.0.2.10, 192.0.2.11, 192.0.2.12) with your actual Cribl Stream Worker Node IPs
  • This example shows 3 Worker Nodes; adjust the number of services based on your deployment
  • Uses ROUNDROBIN load balancing method; consider LEASTCONNECTION for TCP traffic
  • Creates separate virtual servers for UDP and TCP to ensure proper traffic handling
  • Virtual servers listen on all interfaces (0.0.0.0); specify your load balancer IP if needed

Alternative Configuration for Hash-Based Load Balancing:

If you need consistent routing of syslog messages from the same source to the same Worker Node:

# Use source IP hash for consistent routing

add lb vserver syslog-udp-lb SYSLOGUDP 0.0.0.0 514 -lbMethod SOURCEIPHASH

add lb vserver syslog-tcp-lb SYSLOGTCP 0.0.0.0 514 -lbMethod SOURCEIPHASH

 

AWS Network Load Balancer (NLB) Guide

For AWS deployments, Network Load Balancer provides the best performance for syslog traffic.

Reference: UDP Load Balancing for Network Load Balancer

 

Key Considerations:

  • Use NLB for both UDP and TCP syslog traffic
  • Configure appropriate health checks for Worker Nodes
  • Consider cross-zone load balancing for high availability
  • Ensure security groups allow syslog traffic on configured ports

 

NGINX Plus Guide

NGINX Plus provides robust TCP and UDP load balancing capabilities suitable for syslog deployments.

Reference: TCP and UDP Load Balancing

 

Key Features:

  • Health checks for upstream servers
  • Session persistence options
  • SSL/TLS termination capabilities
  • Real-time monitoring and statistics

 

HAProxy (Including TCP Break-Apart)

HAProxy offers excellent syslog load balancing capabilities with ring buffer support for high-performance scenarios.

Reference: haproxy speaks syslog

Be the first to reply!

Reply


Terms & ConditionsCookie settings