In my last post, I talked about two routing modes used on load balancers: NAT and transparent. As you may recall, I recommended against using transparent mode unless it is a common practice to use a load balancer as the default gateway in your environment. In this blog post, I would like to provide another workaround that would enable transparent mode without having to point the default gateway of your Log Insight nodes to the load balancer!
CREDIT: Shout out to my colleague Joseph Andreatta for testing this out and providing the information.
WARNING: This is not officially supported. Proceed at your own risk.
While the Log Insight virtual appliance is a black box, it is at its core a SLES operating system. As such, you can modify the networking properties. One workaround to get transparent mode working is to configure the virtual server on the loopback interface of the Log Insight nodes.
What is a loopback interface?
The loopback interface is a virtual network interface that is primarily used for internal testing within a system. For more information see this forum.
How can you configure it for transparent mode?
On each node you must add the virtual server VIP to the loopback interface, to do so, add IPADDR_LB, NETMASK_LB, & BROADCAST_LB to /etc/sysconfig/network/ifcfg-lo and then restart lo (ifdown lo; ifup lo).
# cat /etc/sysconfig/network/ifcfg-lo # Loopback (lo) configuration IPADDR=127.0.0.1 NETMASK=255.0.0.0 NETWORK=127.0.0.0 BROADCAST=127.255.255.255 IPADDR_2=127.0.0.2/8 IPADDR_LB=10.162.220.4/24 NETMASK_LB=255.255.255.0 BROADCAST_LB=10.162.220.25 STARTMODE=auto USERCONTROL=no FIREWALL=no
This address will NOT show up in ifconfig:
# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0C:29:01:DD:FF
inet addr:10.162.220.153 Bcast:10.162.220.255 Mask:255.255.255.0
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:25148 errors:0 dropped:0 overruns:0 frame:0
TX packets:16336 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:14897540 (14.2 Mb) TX bytes:12885377 (12.2 Mb)
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:16402840 errors:0 dropped:0 overruns:0 frame:0
TX packets:16402840 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:18374781517 (17523.5 Mb) TX bytes:18374781517 (17523.5 Mb)
but it will show up in ifstatus lo:
# ifstatus lo lo 1: lo: <LOOPBACK,UP,LOWER_UP> mtu 16436 qdisc noqueue state UNKNOWN link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00 inet 127.0.0.1/8 brd 127.255.255.255 scope host lo inet 10.162.220.4/24 brd 10.162.220.25 scope global lo inet 127.0.0.2/8 brd 127.255.255.255 scope host secondary lo Configured IPv4 routes for interface lo: 127/8 - - lo Active IPv4 routes for interface lo: 127.0.0.0/8 scope link 1 of 1 configured IPv4 routes for interface lo up Active IPv6 routes for interface lo: 127.0.0.0/8 scope link lo is up
Using transparent mode
With the loop back interface configured to point to the load balancer, you can now enable transparent mode on the load balancer. Upon doing so, you should now be able to see the real client IP sending the event to the load balancer (look at the source field of events coming in over the syslog protocol)!
NOTE: the real client IP may still be a syslog aggregator so it may not be the originator of the event.
Summary
By configuring the loopback interface on Log Insight nodes to be the virtual server IP address, transparency mode on load balancers will work for a Log Insight cluster because the cluster can directly talk with the actual client – this is known as direct routing. Be aware that this workaround is technically unsupported because you are modifying the virtual appliance.
© 2014, Steve Flanders. All rights reserved.
