Forum Discussion
brain_damaged
Nimbostratus
NimbostratusMost Blocked Log Events could not be found
Hi All,
I am using WAF F5 and the WAF is intermittently blocking the HTTP requests, as The WAF is running at Blocking Mode.
(It is returning the HTML page generated by WAF with Support ID given)
I checked the Event Logs->Application->Requests
I can find Legal Requests, Unblocked Requests from the list
I can also find some Blocked Requests triggered by HTTP code 405 which was returned from my application server.
But I cannot find other Blocked Requests from the list, either by full search/URL search and support ID search.
I also tried to click the Operation IDs -> Blocked Requests. (There are 441K requests ), but the list is showing nothing.
Is it the settings problem ? Can I find those logs in file system ? e.g. /var/log/xxxx ?
Thank you
- Aswin_mk
Cumulonimbus
Hi
I hope you are logging all requests in logging profiles.
https://my.f5.com/manage/s/article/K000132357
If you are using any syslog server, please check their aswell , if it's getting the request logs
Also you can check the above link for basic troubleshooting
Br
Aswin
sometimes if there are multiple virtual server having "Log all requests" assigned, you might be missing the other logs like "blocked ones" because F5 now is actually logging each and every single request coming to those virtual server.
If this is the case, consider removing these profiles, and add "log illegal requests only" and if the issue still persists, try killing logging process, by running the below commands and test again:
pkill -f pabnagd
pkill -f asmlogd
pkill -f asm_config_server
