Forum Discussion

MSZ's avatar
Icon for Nimbostratus rankNimbostratus
Feb 15, 2016

BIG IP ASM Reporting

Is there anyone who can brief the behavior of charts and the statistics behind them?


For Example:


Security --> Reporting --> Application --> Chart view by "Request Type" Then the output will be displayed there. Say: Legal = 100 Alarmed = 50 Blocked = 20 Drop = 10


Click on "view requests" at the right bottom.


It will show the events:


These events will be much less than the above figures.


4 Replies

  • Please be aware that the ASM has a limited amount of room for logging events. As a result any report that shows you events will of necessity be a subset of the overall numbers. So if your report says that you have blocked 2500 requests, you may only have 20 of those in the event logs. Having said that if the number really is only 20, you should open a case and have support check to ensure that your system is logging properly.


  • By default, logs are stored locally. The Local Storage check box is selected and cannot be cleared unless you enable Remote Storage to store logs remotely. This prevents you from creating a logging profile that does not log any traffic.


    To store logs locally only, leave the Local Storage check box selected.


    To store logs remotely, select the Remote Storage check box.


    To store logs both places, select both check boxes. Optional for local logging: To ensure that the system logs requests for the security policy, even when the logging utility is competing for system resources, select the Guarantee Local Logging check box. From the Response Logging list, select one of the following options.


    By default, the system logs the first 10000 bytes of responses, up to 10 responses per second. You can change the limits by using the response logging system variables. By default, the system logs all requests. To limit the type of requests that the system or server logs, set up the Storage Filter.


    If setting up local event logging only, click Finished. To set up remote logging, continue to set up remote logging.


    When you store the logs locally, the logging utility may compete for system resources. Using the Guarantee Logging setting ensures that the system logs the requests in this situation but may result in a performance reduction in high-volume traffic applications.


    Hence its always recommend to have remote logging, best practice say use ArcSight, Eventlog Analyzer (mostly freeware available e;g ManageEngine log Analyzer) or you can user checkpoint logger.


    Cheers ... Jai


    I Hope it helps!!


    • MSZ's avatar
      Icon for Nimbostratus rankNimbostratus
      Please follow these steps on your device. Go to Security --> Reporting --> Application --> Chart view by "Request Type" ++ Time Period [Last Day] Then the output will be displayed there in the form of Chart with the following table: Legal = [xxxx] Alarmed = [yyyyy] Blocked = [zzzz] ovaerall = [aaaa] Note the Total of Alarmed + Blocked Requests = yyyy + zzzz Click on the "view requests" just right below corner of the table. You will see the event logs which are less than the above value.