Forum Discussion

Cirrocumulus

Jun 01, 2021

Can I extend the time of advanced WAF security events shown

Hi; For the security events that can be seen in the GUI by going to Security> Events > Application > Requests, these events are shown in realtime and they go back in time by about half hour. ...

ASM Advanced WAF

security

Daniel_Wolf
Jun 01, 2021
Hi Wasfi,

quoting from K37655278: By default, the local log storage is finite with a maximum capacity of 3 million records stored across all BIG-IP ASM security policies and a maximum database table size of 2 GB on virtual systems and 5 GB on physical systems.

Changing this default value is not a good idea, it will have impact on the overall performance of the system.
The local logs are meant to identify and easily correlate events going on "right now" or in the past couple of hours. Any historical log info should be saved in and retrieved from a SIEM like Splunk or ELK Stack.
You can check what types of events you are logging. Maybe you configured a log profile that is logging all events instead of violations only. By changing this you can increase the time you can search backwards.
Also, the database is not only limited to 2 GB but also to 3 millions records. If you reach the 3 million records first, increasing the DB size to 4 or 5 GB won't help.

KR
Daniel

Daniel_Wolf

MVP

Jun 01, 2021

Hi Wasfi,

quoting from K37655278: By default, the local log storage is finite with a maximum capacity of 3 million records stored across all BIG-IP ASM security policies and a maximum database table size of 2 GB on virtual systems and 5 GB on physical systems.

Changing this default value is not a good idea, it will have impact on the overall performance of the system.

The local logs are meant to identify and easily correlate events going on "right now" or in the past couple of hours. Any historical log info should be saved in and retrieved from a SIEM like Splunk or ELK Stack.

You can check what types of events you are logging. Maybe you configured a log profile that is logging all events instead of violations only. By changing this you can increase the time you can search backwards.

Also, the database is not only limited to 2 GB but also to 3 millions records. If you reach the 3 million records first, increasing the DB size to 4 or 5 GB won't help.

Daniel

Recent Discussions

Under Attack? F5 Will Help You.
Contacting F5 Support?

DevCentral Quicklinks

* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com

Discover DevCentral Connects

* Podcasts
* Social Channels
* Video Streaming

Forum Discussion

Can I extend the time of advanced WAF security events shown

Recent Discussions

Background Tasks

APM with EntraID as idP / request signed

Should config via cli rather than gui?

APM Modern Customization - modify Header in user-common.js and form in user-logon.js

Which process is consuming higher CPU

Related Content

Orchestrated Infrastructure Security - Advanced WAF

SSL Orchestrator Advanced Use Cases: Integrating F5 Advanced Firewall Manager (AFM)

Guarding Large Language Models: Advanced Approaches to Preventing Model Theft

Configuring NGINX API micro-gateway to support Open Banking's Advanced FAPI security profile

SSL Orchestrator Advanced Use Cases: Enabling GCloud Organization Restrictions

ABOUT DEVCENTRAL

RESOURCES

SUPPORT

PARTNERS