hi, in 11.4.1 os, I am not able to display the asm logs older than the current day. in the /var/log/asm, I can see the older asm log files in gz format. is it possible to dispaly those logs through the GUI ? thanks. O.

Omar, are you referring to Application Request logs? If so, you can navigate to Security >> Event Logs >> Application >> Requests and see all the details there.

Thanks John. yes I was referring to the requets events ... I can't get the logs of the previous days in the GUI, only the current day shoes up...even if the asm logs are present in the var/log folder. Any hint? Thanks. O

Hi Omar, from gui you can see asm logs in current file /var/log/asm. Logs for previouse days are in archive files /var/log/asm.*.gz. You need to make changes to the logrotate.conf and cron according to your needs Sol13367

I have 11.6.0 Security >> Event Logs >> Application >> Requests It will display the events of those policies which are in "Blocking" mode and their Signature staging is "Disabled". Blocked Request: It means ASM blocked the request Illegal Request: It is illegal (But whether it is pass or disallow by ASM) Truncated Request: It means request is too large to handle (Should we increase the length?) Please guide me in the above details

ASM back logs | DevCentral

9 Replies

ltwagnon
Ret. Employee
Apr 02, 2014
Omar, are you referring to Application Request logs? If so, you can navigate to Security >> Event Logs >> Application >> Requests and see all the details there.
OM
Altocumulus
Apr 03, 2014
Thanks John. yes I was referring to the requets events ... I can't get the logs of the previous days in the GUI, only the current day shoes up...even if the asm logs are present in the var/log folder.

Any hint?

Thanks.

O
Vitaliy_Savrans
Nacreous
Apr 03, 2014
Hi Omar, from gui you can see asm logs in current file /var/log/asm. Logs for previouse days are in archive files /var/log/asm.*.gz. You need to make changes to the logrotate.conf and cron according to your needs Sol13367
OM
Altocumulus
Apr 03, 2014
Thanks John.
MSZ
Nimbostratus
Sep 17, 2015
I have 11.6.0 Security >> Event Logs >> Application >> Requests

It will display the events of those policies which are in "Blocking" mode and their Signature staging is "Disabled".

Blocked Request: It means ASM blocked the request

Illegal Request: It is illegal (But whether it is pass or disallow by ASM)

Truncated Request: It means request is too large to handle (Should we increase the length?)

Please guide me in the above details
MSZ
Nimbostratus
Sep 20, 2015
Illegal Request: It is illegal (But whether it is pass or disallow by ASM) <-- it is passed to the server, that is the big difference between blocked and illegal. they both violate the policy but only the the blocked ones are stopped. illegal ones are only logged but passed to the server.

You are using Blocked keyword in Illegal request. That's why I am confusing on it. What I understand is that Illegal requests are allowed to pass through the ASM but they are illegal and we have to investigate them as per our requirement. Only focused on Illegal requests.
MSZ
Nimbostratus
Sep 20, 2015
If a Signature staging is enabled then it is possible to see the events log of that policy.

Because I am seeing the logs in: (They are few but appearing) Security >> Event Logs >> Application >> Requests

In this case Blocked request will be considered blocked even signature staging is enabled.
MSZ
Nimbostratus
Sep 21, 2015
Dear Don't bother, but in my case I am able to see the events logs even signature staging is enabled. But inside the signature options we have selected some signatures as Learn, Alarm and Block.
MSZ
Nimbostratus
Sep 21, 2015
Thanks alot Nathan. I got it.

It means Signatures staging only valid for Attack signatures.

It means Illegal requests are also concerned with RFC violations. These will also considered blocked or pass through the ASM.