For more information regarding the security incident at F5, the actions we are taking to address it, and our ongoing efforts to protect our customers, click here.

Forum Discussion

clazba's avatar
clazba
Icon for Nimbostratus rankNimbostratus
Nov 01, 2012

Disabling local logging on ASM

 

Hi,

 

 

I am having a few issues correctly configuring remote logging ( or rather completely disabling local logging) for ASM and was hoping someone here could point me in the right direction.

 

 

I have created a ‘remote only’ logging profile (no local storage) for illegal requests only and applied it to the policy – screenshots attached ­- so far so good, I can tail /var/log/syslog on the remote server and see illegal reqs being logged as intended.

 

 

Now that I have remote logging working fine I want to completely disable local logging to /var/log/asm to minimize disk I/O as we believe this might be causing performance degradation for a customer – I understand this should be achievable by unticking the ‘alarm’ box relative to the violation in the blocking mask and SOL11645 seems to be confirming this:

 

 

If both the Learn and Alarm flags are disabled for a certain violation, requests that trigger that violation are not logged by the system to the /var/log/asm file. These requests are logged to only the Reporting/Requests screen or, if the logging profile for the web application specifies a remote storage type, to the remote server.

 

 

However, in my tests, this doesn’t seem to work as per the solution article– if I enable Learn and Alarm in the blocking mask Illegal Requests are logged to both remote syslog and /var/log/asm, I I disable Learn and Alarm in the blocking mask Illegal Requests do not get logged at all – neither remote syslog or locally.

 

 

Is there another way to completely disable local logging (/var/log/asm) or am I missing something here?

 

 

Thanks in advance for any insight ..

 

app sec
BIG-IP Access Policy Manager (APM)
security

4 Replies

  • clazba's avatar
    clazba
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2012
    Posted By clazba on 11/01/2012 07:18 AM

     

     

    Hi,

     

     

    I am having a few issues correctly configuring remote logging ( or rather completely disabling local logging) for ASM and was hoping someone here could point me in the right direction.

     

     

    I have created a ‘remote only’ logging profile (no local storage) for illegal requests only and applied it to the policy – screenshots attached ­- so far so good, I can tail /var/log/syslog on the remote server and see illegal reqs being logged as intended.

     

     

    Now that I have remote logging working fine I want to completely disable local logging to /var/log/asm to minimize disk I/O as we believe this might be causing performance degradation for a customer – I understand this should be achievable by unticking the ‘alarm’ box relative to the violation in the blocking mask and SOL11645 seems to be confirming this:

     

     

    If both the Learn and Alarm flags are disabled for a certain violation, requests that trigger that violation are not logged by the system to the /var/log/asm file. These requests are logged to only the Reporting/Requests screen or, if the logging profile for the web application specifies a remote storage type, to the remote server.

     

     

    However, in my tests, this doesn’t seem to work as per the solution article– if I enable Learn and Alarm in the blocking mask Illegal Requests are logged to both remote syslog and /var/log/asm, I I disable Learn and Alarm in the blocking mask Illegal Requests do not get logged at all – neither remote syslog or locally.

     

     

    Is there another way to completely disable local logging (/var/log/asm) or am I missing something here?

     

     

    Thanks in advance for any insight ..

     

     

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Nov 02, 2012
    You could remove the part of the syslog-ng configuration that logs to /var/log/asm:

     

     

    File is located at /etc/syslog-ng/syslog-ng.conf

     

     

    -------------------------------------------

     

     

    local3.* /var/log/asm

     

    filter f_local3 {

     

    facility(local3);

     

    };

     

     

    destination d_asm {

     

    file("/var/log/asm" create_dirs(yes));

     

    };

     

     

    log {

     

    source(s_syslog_pipe);

     

    filter(f_local3);

     

    destination(d_asm);

     

    };

     

     

    ---------------------------------------------

     

     

    Use vi to remove the relevant configuration, then save the file and reload syslog-ng (bigstart restart syslog-ng)
  • clazba's avatar
    clazba
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2012
    Thanks Cory that was very helpful indeed -- rather than modifying syslog-ng.conf manually and remove those entries i simply changed the destination for d_asm to my syslog server with tmsh- this alone seemed to do the trick >>

     

     

    1.tmsh> edit sys syslog

     

     

    2.

     

    modify syslog {

     

    include "

     

    destination d_asm {

     

    udp(\"192.168.1.202\" port(514));

     

    };

     

    "

     

    }

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Nov 06, 2012
    That's actually a better way to do it. Doing it through tmsh ensures that the configuration will remain if you upgrade your device in the future. Had you done it the way I suggested, your modifications would have been lost when upgraded.