Forum Discussion
iRule
Cirrus
CirrusIncreasing ASM log capacity in F5
Dear Community,
The default capacity of storing ASM event logs in F5 is 2GB. If we increase this capacity to 4GB, please inform will it cause negative impact on health and performance of F5?
Dear iRule,
the same question was asked on LinkedIn a couple of hours ago. The answer here in this community is the same.
Changing this default value is not a good idea, it will have impact on the overall performance of the system.
The local logs are meant to identify and easily correlate events going on "right now" or in the past couple of hours. Any historical log info should be saved in and retrieved from a SIEM like Splunk or ELK Stack.
KR
Daniel
EDIT: I will add couple of thoughts after going back to K37655278: BIG-IP ASM operations guide | Chapter 3: BIG-IP ASM event logging.
You can check what types of events you are logging. Maybe you configured a log profile that is logging all events instead of violations only. By changing this you can increase the time you can search backwards.
Also, the database is not only limited to 2 GB but also to 3 millions records. If you reach the 3 million records first, increasing the DB size to 4 GB won't help.
I have seen customers that could only "see" that last 60 minutes in their local logs, because they logged >3 million events in that time frame.
The message stays the same: enable remote logging rather than increasing the DB size.
- Daniel_Wolf
MVP
Dear iRule,
the same question was asked on LinkedIn a couple of hours ago. The answer here in this community is the same.
Changing this default value is not a good idea, it will have impact on the overall performance of the system.
The local logs are meant to identify and easily correlate events going on "right now" or in the past couple of hours. Any historical log info should be saved in and retrieved from a SIEM like Splunk or ELK Stack.
KR
Daniel
EDIT: I will add couple of thoughts after going back to K37655278: BIG-IP ASM operations guide | Chapter 3: BIG-IP ASM event logging.
You can check what types of events you are logging. Maybe you configured a log profile that is logging all events instead of violations only. By changing this you can increase the time you can search backwards.
Also, the database is not only limited to 2 GB but also to 3 millions records. If you reach the 3 million records first, increasing the DB size to 4 GB won't help.
I have seen customers that could only "see" that last 60 minutes in their local logs, because they logged >3 million events in that time frame.
The message stays the same: enable remote logging rather than increasing the DB size.
Closing this question as duplicative with https://devcentral.f5.com/s/feed/0D51T00008Ouu0zSAB.
Thanks
