For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

MSZ's avatar
MSZ
Icon for Nimbostratus rankNimbostratus
Jan 18, 2016

ASM Logging

Kindly explain the following queries related to the logs:   What is the default size of the logs file? How many days it rotate or compress the logs?
ASM Advanced WAF
BIG-IP
security
MSZ's avatar
MSZ
Icon for Nimbostratus rankNimbostratus
Jan 18, 2016

Kindly share some article or other information related to the ASM logs which are kept in DB. What about legal requests and illegal requests etc.

 

jsprattler's avatar
jsprattler
Icon for Nimbostratus rankNimbostratus
Nov 03, 2016

Hello MSZ,

 

If running ASM v11.6+ you'll need to enable logging per SOL16053: BIG-IP ASM does not log security events locally by default in 11.6.0

 

For details on setting up ASM logging profiles I recommend John Wagnon's DevCentral article The BIG-IP Application Security Manager Part 10: Event Logging

 

Here's an example from my lab of the ASM logging an illegal Request violation using a URI with /%

 

Oct 18 09:22:34 bigipVE-25 crit perl[28921]: 01310038:2: [SECEV] Request violations: Evasion technique detected. HTTP protocol compliance sub violations: N/A. Evasion techniques sub violations: N/A. Web services security sub violations: Bad unescape. Virus name: N/A. Support id: 13697844613363007900, source ip: 192.168.100.143, xff ip: N/A, source port: 60132, destination ip: 192.168.201.140, destination port: 80, route_domain: 0, HTTP classifier: /Common/SSOPRD-RP, scheme HTTP, geographic location: , request: , username: , session_id: <59f78b16fc9d332>, violation_rate: 1