Forum Discussion
Increasing ASM log capacity in F5
- Apr 24, 2021
Dear iRule,
the same question was asked on LinkedIn a couple of hours ago. The answer here in this community is the same.
Changing this default value is not a good idea, it will have impact on the overall performance of the system.
The local logs are meant to identify and easily correlate events going on "right now" or in the past couple of hours. Any historical log info should be saved in and retrieved from a SIEM like Splunk or ELK Stack.
KR
Daniel
EDIT: I will add couple of thoughts after going back to K37655278: BIG-IP ASM operations guide | Chapter 3: BIG-IP ASM event logging.
You can check what types of events you are logging. Maybe you configured a log profile that is logging all events instead of violations only. By changing this you can increase the time you can search backwards.
Also, the database is not only limited to 2 GB but also to 3 millions records. If you reach the 3 million records first, increasing the DB size to 4 GB won't help.
I have seen customers that could only "see" that last 60 minutes in their local logs, because they logged >3 million events in that time frame.
The message stays the same: enable remote logging rather than increasing the DB size.
Dear iRule,
the same question was asked on LinkedIn a couple of hours ago. The answer here in this community is the same.
Changing this default value is not a good idea, it will have impact on the overall performance of the system.
The local logs are meant to identify and easily correlate events going on "right now" or in the past couple of hours. Any historical log info should be saved in and retrieved from a SIEM like Splunk or ELK Stack.
KR
Daniel
EDIT: I will add couple of thoughts after going back to K37655278: BIG-IP ASM operations guide | Chapter 3: BIG-IP ASM event logging.
You can check what types of events you are logging. Maybe you configured a log profile that is logging all events instead of violations only. By changing this you can increase the time you can search backwards.
Also, the database is not only limited to 2 GB but also to 3 millions records. If you reach the 3 million records first, increasing the DB size to 4 GB won't help.
I have seen customers that could only "see" that last 60 minutes in their local logs, because they logged >3 million events in that time frame.
The message stays the same: enable remote logging rather than increasing the DB size.
Recent Discussions
Related Content
* Getting Started on DevCentral
* Community Guidelines
* Community Terms of Use / EULA
* Community Ranking Explained
* Community Resources
* Contact the DevCentral Team
* Update MFA on account.f5.com