Forum Discussion

Teemu_Kunnari_1's avatar
Teemu_Kunnari_1
Icon for Nimbostratus rankNimbostratus
Jul 02, 2018

ASM Local storage logging

Hello,

 

I would like to know how what is the default ASM Log buffer size (local storage / f5 system) for Event Logs regarding ASM if you choose the option etc. Log illegal requests? And how long they are stored in the system?

 

Thanks in advance!

 

BR

 

Teemu

 

application delivery
ASM Advanced WAF
security
  • youssef1's avatar
    youssef1
    Icon for Cumulonimbus rankCumulonimbus
    Jul 02, 2018

    Hi,

     

    You have to know that in versions prior to BIG-IP ASM 11.6.0, the system writes security events to the /var/log/asm file by default using syslog.

     

    eginning in BIG-IP ASM 11.6.0, enhancements were introduced to improve system performance and stability. As a result, the system no longer writes security events to syslog by default and it does not log them locally to the /var/log/asm file. You may enable the send_content_events internal parameter to replicate the old behavior. However, F5 recommends leaving it disabled due to a potential decrease in performance.

     

    For more information: https://support.f5.com/csp/article/K16053

     

    In all case I advise you to send your ASM logs to a syslog server. In this case you can manage your logs (retention policy, ...)

     

    Regarding event logs that you can see in GUI, SM will locally hold up to 3 Million log entries, or 2 GB of data, whichever comes first. On device logging is probably best used for troubleshooting and short-term forensics, and an external logging facility is best used for long-term logging.

     

    Fore more info:

     

    https://devcentral.f5.com/questions/asm-request-event-correlation-differencies

     

    https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_monitoring.html?sr=528965261055514

     

    Regards