Forum Discussion
NimbostratusASM fine-tuning using logs in syslog/siem
Hi,
I wanted to ask, based on current config the ASM unable to hold the incident/case id more than few days.
a) Anyway we can increase the box disk space ?
b) If we use siem/syslog server to point out these logs, how difficult to search back per rule/policy and fine tuning it back?
As we aware the build-in case/security log is quite good as it has learn feature along with signature references..
Simon_BlakelyEmployee
a) Anyway we can increase the box disk space ?
You can increase the disk space on the LTM (for VE and vcmp guests, not hardware LTMs), but we do not recommend it. It will also not increase the storage for the ASM event logs - these are database table limitations that should not be modified, as they will negatively impact the device performance.
What you can do is investigate Big-IQ Security and the Big-IQ logging nodes - these form a distributed database system for ASM/AFM event logging, and provide reporting and search facilities.
b) If we use siem/syslog server to point out these logs, how difficult to search back per rule/policy and fine tuning it back?
I can't really answer that, because I don't know your siem. However, the text logs take a bit more interpreting, so it will be more work. Once you get used to the log format, it will get easier, I guess.
As we aware the build-in case/security log is quite good as it has learn feature along with signature references..
Learning/Policy building aggregates events, so that even if the specific violation is missing from the Event log, there should be related events that illustrate the violation and allow informed configuration changes.
I hope this helps.
MFS_324204Need to translate the pcap to something readable like below:
Or did my capture actually wrong?
I used tcpdump i eth0 host xxx.xxx.xx.xxx (remote syslog server ip)