ASM - Suppressing a particular log event

Question

I have multiple event logs filling up for the Illegal URL /favicon.ico. The file does not exist.&nbsp;
I do not wish to allow the URL and I do not want to see violation logs on that.&nbsp;
Is there a way to achieve that?&nbsp;

jad_tabbara__j1 · Answer

Hello Mike,&nbsp;
Which logging profiles are you using "Log all requests" or "Log Illegal Requests" ?&nbsp;
I recommend you to use the "Log Illegal Requests". &nbsp;
Does /favicon.ico requests generates incidents ? What are the incidents generated ? &nbsp;
Thanks&nbsp;

nathe · Answer

Have you explicitly allowed URLs in your policy? If so, then any other URL not mentioned will generate Illegal URL - which i think is what's happening from your description. You could uncheck the Alarm flag from this violation in the Blocking Settings so you don't get alerts, however, you will no longer get alerts when this violation is triggered, irrespective of the URL (favicon or otherwise).&nbsp;
Alternatively, you could create an iRule or Local Traffic Policy to check the URL and drop/reset if favicon is the destination URI. This way ASM won't see the traffic to create an event log.&nbsp;
Hope this helps.&nbsp;
N&nbsp;

Forum Discussion

ASM - Suppressing a particular log event

Recent Discussions

XC Bot defense question

LTM Rule, iRule, or Brute Force Configuration to Limit URL Access

NetScaler to F5 Migration

Application only need to access from 2 uris

In Radius auth, how to allow second attempt of token input when the first input is incorrect?

Related Content

F5 Distributed Cloud WAF AI/ML Model to Suppress False Positives

iRule Event Order Flowchart

suppressed messages in ltm log

Suppress MFA for a period of time

Security Automation with F5 BIG-IP and Event Driven Ansible

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS