Forum Discussion

LoanBMT's avatar
LoanBMT
Icon for Nimbostratus rankNimbostratus
Oct 01, 2015

ASM Event log with local storage

Hi all,

 

May you help me the way to extend local data storage volume for ASM Event logs? I have been using default profile named "Log illegal requests" in TMOS 11.6, and I don't have remote storage now. Because I want to view event logs more than 01 day period, during auditing time, but the older event logs were deleted. I have researched more information about the local data storage for ASM event log, but I can't find the solution. Could anyone help me? and please correct to me if I have any wrong knowledge. Hope your response. Best regards, Loan.

 

application delivery
deployment
monitor
performance
storage
TMSH
  • Hannes_Rapp_162's avatar
    Hannes_Rapp_162
    Icon for Nacreous rankNacreous
    Oct 01, 2015

    You can modify the DB log-rotate value from the default of 8 days to 30, this should also cover for /var/log/asm and ASM logs in GUI. Note that there are no guarantees you will always have the backlog for 30 days. If you run out of disk space in /var/log folder, the actual number of days for which you will have the logs will be less.

    Increasing log-age value

    tmsh modify sys db logrotate.logage value 30
tmsh save sys config

    If you would like to increase the disk space for /var/log folder, you can also do it from TMSH; that procedure (Extending disk space for increased logging) is documented in this article: https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14952.htmlproc3

    • LoanBMT's avatar
      LoanBMT
      Icon for Nimbostratus rankNimbostratus
      Oct 05, 2015
      Thank you Hannes Rap! But in TMOS 11.6, /var/log/asm doesn't store Event Application Logs (such as illegal requests", and as I know, Event Application Logs are stored in ASM data DB, which limited with numbers of row or entry length. But I don't really know the way to increase them. Please refer: https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16053.html and https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-11-6-0.html
    • Hannes_Rapp_162's avatar
      Hannes_Rapp_162
      Icon for Nacreous rankNacreous
      Oct 06, 2015
      Hello, Sorry for the late reply. The link you gave me also includes a solution which is reverting to pre-11.6 behaviour. However, due to performance issues, it seems like F5 is looking to more aggressively push their clients towards a Remote ASM Logging solution. It does make sense and we've already ditched Local ASM Logging a while ago, only issue is that Remote Logging does not enable you to log POST parameters as was possible with Local Logging (ASM intenal DB). Quoting from the link you gave me: "Beginning in BIG-IP ASM 11.6.0, enhancements were introduced to improve system performance and stability. As a result, the system no longer writes security events to syslog by default and it does not log them locally to the /var/log/asm file. You may enable the send_content_events internal parameter to replicate the old behavior. However, F5 recommends leaving it disabled due to a potential decrease in performance." Would it suffice if you enable the "send_content_events", as recommended in this article, or is it not an option? I'm afraid there are no good alternatives for ASM Local Logging from 11.6 onwards. At least, you would have the logs for a greater number of days in /var/log/asm.x files.
    • LoanBMT's avatar
      LoanBMT
      Icon for Nimbostratus rankNimbostratus
      Nov 13, 2015
      Thank you Hannes Rapp! Sorry for late reply. I think, as recommended, and with my auditing plan, it's better that I should not enable "send_content_events". I'm looking for the solution with new behavior to extend asm local storage, before I implement remote logging plan. Thank you again. Loan.
  • Hannes_Rapp's avatar
    Hannes_Rapp
    Icon for Nimbostratus rankNimbostratus
    Oct 01, 2015

    You can modify the DB log-rotate value from the default of 8 days to 30, this should also cover for /var/log/asm and ASM logs in GUI. Note that there are no guarantees you will always have the backlog for 30 days. If you run out of disk space in /var/log folder, the actual number of days for which you will have the logs will be less.

    Increasing log-age value

    tmsh modify sys db logrotate.logage value 30
tmsh save sys config

    If you would like to increase the disk space for /var/log folder, you can also do it from TMSH; that procedure (Extending disk space for increased logging) is documented in this article: https://support.f5.com/kb/en-us/solutions/public/14000/900/sol14952.htmlproc3

    • LoanBMT's avatar
      LoanBMT
      Icon for Nimbostratus rankNimbostratus
      Oct 05, 2015
      Thank you Hannes Rap! But in TMOS 11.6, /var/log/asm doesn't store Event Application Logs (such as illegal requests", and as I know, Event Application Logs are stored in ASM data DB, which limited with numbers of row or entry length. But I don't really know the way to increase them. Please refer: https://support.f5.com/kb/en-us/solutions/public/16000/000/sol16053.html and https://support.f5.com/kb/en-us/products/big-ip_asm/releasenotes/product/relnote-asm-11-6-0.html
    • Hannes_Rapp's avatar
      Hannes_Rapp
      Icon for Nimbostratus rankNimbostratus
      Oct 06, 2015
      Hello, Sorry for the late reply. The link you gave me also includes a solution which is reverting to pre-11.6 behaviour. However, due to performance issues, it seems like F5 is looking to more aggressively push their clients towards a Remote ASM Logging solution. It does make sense and we've already ditched Local ASM Logging a while ago, only issue is that Remote Logging does not enable you to log POST parameters as was possible with Local Logging (ASM intenal DB). Quoting from the link you gave me: "Beginning in BIG-IP ASM 11.6.0, enhancements were introduced to improve system performance and stability. As a result, the system no longer writes security events to syslog by default and it does not log them locally to the /var/log/asm file. You may enable the send_content_events internal parameter to replicate the old behavior. However, F5 recommends leaving it disabled due to a potential decrease in performance." Would it suffice if you enable the "send_content_events", as recommended in this article, or is it not an option? I'm afraid there are no good alternatives for ASM Local Logging from 11.6 onwards. At least, you would have the logs for a greater number of days in /var/log/asm.x files.
    • LoanBMT's avatar
      LoanBMT
      Icon for Nimbostratus rankNimbostratus
      Nov 13, 2015
      Thank you Hannes Rapp! Sorry for late reply. I think, as recommended, and with my auditing plan, it's better that I should not enable "send_content_events". I'm looking for the solution with new behavior to extend asm local storage, before I implement remote logging plan. Thank you again. Loan.