Forum Discussion

alex_luna_23167's avatar
alex_luna_23167
Icon for Nimbostratus rankNimbostratus
Jun 16, 2017

ASM Security Events Log File

We have ASM v12.1.2 , and we know that this versión doesnt log locally security events on /var/log/asm, my question is , where security events are logged? , i would think is a DB on my sql, because in some document says that security events would send over remote syslog server, could you help me if there is any documentation for this ?

 

Thanks in advance

 

  • Hello Alex,

     

    Depending upon the type of logging profile you have applied to a certain virtual server, either all requests or illegal requests only will be logged to the Event Logs within mysql db and you can navigate through to 'Security ›› Event Logs : Application : Requests' in the Web GUI.

     

    The decision to not log requests locally to /var/log/asm (local syslog, essentially) was as a result of a change in behavior introduced in 11.6.0 and above versions. This was intentional in order to help improve performance of the ASM in general. Its described in greater detail in K16053 article: https://support.f5.com/csp/article/K16053

     

    Moreover, if you wish to log requests remotely to a Remote Syslog, Splunk or ArcSight, then you can do that by creating a custom Logging Profile with Remote Storage option.

     

8 Replies

  • Ashwin_Venkat_1's avatar
    Ashwin_Venkat_1
    Historic F5 Account

    Hello Alex,

     

    Depending upon the type of logging profile you have applied to a certain virtual server, either all requests or illegal requests only will be logged to the Event Logs within mysql db and you can navigate through to 'Security ›› Event Logs : Application : Requests' in the Web GUI.

     

    The decision to not log requests locally to /var/log/asm (local syslog, essentially) was as a result of a change in behavior introduced in 11.6.0 and above versions. This was intentional in order to help improve performance of the ASM in general. Its described in greater detail in K16053 article: https://support.f5.com/csp/article/K16053

     

    Moreover, if you wish to log requests remotely to a Remote Syslog, Splunk or ArcSight, then you can do that by creating a custom Logging Profile with Remote Storage option.

     

    • alex_luna_23167's avatar
      alex_luna_23167
      Icon for Nimbostratus rankNimbostratus

      Thanks Ashwin, I really appreciate your help for this question, i just want to know how it works for logging profile

       

      Regards

       

    • Ashwin_Venkat_1's avatar
      Ashwin_Venkat_1
      Historic F5 Account

      Hi Alex, what sort of Logging Profile are you using in this case? Is it being used with local storage or remote storage?

       

    • alex_luna_23167's avatar
      alex_luna_23167
      Icon for Nimbostratus rankNimbostratus

      We thought they were saved locally, but we already saw that it would have to configure remote syslog so that you can see the ASM events since in version before 11.6 they were saved locally

       

  • Hello Alex,

     

    Depending upon the type of logging profile you have applied to a certain virtual server, either all requests or illegal requests only will be logged to the Event Logs within mysql db and you can navigate through to 'Security ›› Event Logs : Application : Requests' in the Web GUI.

     

    The decision to not log requests locally to /var/log/asm (local syslog, essentially) was as a result of a change in behavior introduced in 11.6.0 and above versions. This was intentional in order to help improve performance of the ASM in general. Its described in greater detail in K16053 article: https://support.f5.com/csp/article/K16053

     

    Moreover, if you wish to log requests remotely to a Remote Syslog, Splunk or ArcSight, then you can do that by creating a custom Logging Profile with Remote Storage option.

     

    • alex_luna_23167's avatar
      alex_luna_23167
      Icon for Nimbostratus rankNimbostratus

      Thanks Ashwin, I really appreciate your help for this question, i just want to know how it works for logging profile

       

      Regards

       

    • Ashwin_Venkat's avatar
      Ashwin_Venkat
      Icon for Employee rankEmployee

      Hi Alex, what sort of Logging Profile are you using in this case? Is it being used with local storage or remote storage?

       

    • alex_luna_23167's avatar
      alex_luna_23167
      Icon for Nimbostratus rankNimbostratus

      We thought they were saved locally, but we already saw that it would have to configure remote syslog so that you can see the ASM events since in version before 11.6 they were saved locally