Forum Discussion
ASM Event log with local storage
Hi all,
May you help me the way to extend local data storage volume for ASM Event logs? I have been using default profile named "Log illegal requests" in TMOS 11.6, and I don't have remote storage now. Because I want to view event logs more than 01 day period, during auditing time, but the older event logs were deleted. I have researched more information about the local data storage for ASM event log, but I can't find the solution. Could anyone help me? and please correct to me if I have any wrong knowledge. Hope your response. Best regards, Loan.
- Hannes_Rapp_162Nacreous
You can modify the DB log-rotate value from the default of 8 days to 30, this should also cover for /var/log/asm and ASM logs in GUI. Note that there are no guarantees you will always have the backlog for 30 days. If you run out of disk space in /var/log folder, the actual number of days for which you will have the logs will be less.
Increasing log-age value
tmsh modify sys db logrotate.logage value 30 tmsh save sys config
If you would like to increase the disk space for /var/log folder, you can also do it from TMSH; that procedure (Extending disk space for increased logging) is documented in this article: https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14952.htmlproc3
- LoanBMTNimbostratusThank you Hannes Rap! But in TMOS 11.6, /var/log/asm doesn't store Event Application Logs (such as illegal requests", and as I know, Event Application Logs are stored in ASM data DB, which limited with numbers of row or entry length. But I don't really know the way to increase them. Please refer: https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16053.html and https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-11-6-0.html
- Hannes_Rapp_162NacreousHello, Sorry for the late reply. The link you gave me also includes a solution which is reverting to pre-11.6 behaviour. However, due to performance issues, it seems like F5 is looking to more aggressively push their clients towards a Remote ASM Logging solution. It does make sense and we've already ditched Local ASM Logging a while ago, only issue is that Remote Logging does not enable you to log POST parameters as was possible with Local Logging (ASM intenal DB). Quoting from the link you gave me: "Beginning in BIG-IP ASM 11.6.0, enhancements were introduced to improve system performance and stability. As a result, the system no longer writes security events to syslog by default and it does not log them locally to the /var/log/asm file. You may enable the send_content_events internal parameter to replicate the old behavior. However, F5 recommends leaving it disabled due to a potential decrease in performance." Would it suffice if you enable the "send_content_events", as recommended in this article, or is it not an option? I'm afraid there are no good alternatives for ASM Local Logging from 11.6 onwards. At least, you would have the logs for a greater number of days in /var/log/asm.x files.
- LoanBMTNimbostratusThank you Hannes Rapp! Sorry for late reply. I think, as recommended, and with my auditing plan, it's better that I should not enable "send_content_events". I'm looking for the solution with new behavior to extend asm local storage, before I implement remote logging plan. Thank you again. Loan.
- Hannes_RappNimbostratus
You can modify the DB log-rotate value from the default of 8 days to 30, this should also cover for /var/log/asm and ASM logs in GUI. Note that there are no guarantees you will always have the backlog for 30 days. If you run out of disk space in /var/log folder, the actual number of days for which you will have the logs will be less.
Increasing log-age value
tmsh modify sys db logrotate.logage value 30 tmsh save sys config
If you would like to increase the disk space for /var/log folder, you can also do it from TMSH; that procedure (Extending disk space for increased logging) is documented in this article: https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14952.htmlproc3
- LoanBMTNimbostratusThank you Hannes Rap! But in TMOS 11.6, /var/log/asm doesn't store Event Application Logs (such as illegal requests", and as I know, Event Application Logs are stored in ASM data DB, which limited with numbers of row or entry length. But I don't really know the way to increase them. Please refer: https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16053.html and https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-11-6-0.html
- Hannes_RappNimbostratusHello, Sorry for the late reply. The link you gave me also includes a solution which is reverting to pre-11.6 behaviour. However, due to performance issues, it seems like F5 is looking to more aggressively push their clients towards a Remote ASM Logging solution. It does make sense and we've already ditched Local ASM Logging a while ago, only issue is that Remote Logging does not enable you to log POST parameters as was possible with Local Logging (ASM intenal DB). Quoting from the link you gave me: "Beginning in BIG-IP ASM 11.6.0, enhancements were introduced to improve system performance and stability. As a result, the system no longer writes security events to syslog by default and it does not log them locally to the /var/log/asm file. You may enable the send_content_events internal parameter to replicate the old behavior. However, F5 recommends leaving it disabled due to a potential decrease in performance." Would it suffice if you enable the "send_content_events", as recommended in this article, or is it not an option? I'm afraid there are no good alternatives for ASM Local Logging from 11.6 onwards. At least, you would have the logs for a greater number of days in /var/log/asm.x files.
- LoanBMTNimbostratusThank you Hannes Rapp! Sorry for late reply. I think, as recommended, and with my auditing plan, it's better that I should not enable "send_content_events". I'm looking for the solution with new behavior to extend asm local storage, before I implement remote logging plan. Thank you again. Loan.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com