Forum Discussion
NimbostratusLog retention period in F5 ASM
For how long does the F5 ASM save the logs before removing it? And can we modify the same ? does it depend on the log directory size ?
samstepCirrocumulus
ASM will locally hold up to 3 Million log entries, or 2 GB of data in its internal MySQL database, whichever comes first.
You shouldn't really mess with these settings as they are fine-tuned by F5 for optimal ASM performance. Remember that ASM is a security device and not a logging device. The built-in on-device logging is best used only for troubleshooting and short-term forensics, for production/long-term retention you should use an external logging facility such as Splunk etc.
David_MCirrostratus
ASM will locally hold up to 3 Million log entries, or 2 GB of data in its internal MySQL database, whichever comes first.
where is this mentioned, I am unable to find these numbers in any docs..! :(
- samstep
Hi David,
These limits are documented in the BIG-IP ASM Operations Guide
https://support.f5.com/csp/article/K37655278
Scroll down to "Violation log in the Configuration utility" to see the text:
By default, the local log storage is finite with a maximum capacity of 3 million records stored across all BIG-IP ASM security policies and a maximum database table size of 2 GB on virtual systems and 5 GB on physical systems.
Note: In versions prior to BIG-IP 12.1.0, the maximum database size is 2 GB for both virtual and physical systems.
Log entries are rotated out on a strict age basis. If you log multiple applications locally, it is possible for one application to generate more than its share of messages, filling the log and pushing out entries for other applications before they can be investigated.