Forum Discussion

Wasfi_Bounni's avatar
Wasfi_Bounni
Icon for Cirrocumulus rankCirrocumulus
Jun 01, 2021
Solved

Can I extend the time of advanced WAF security events shown

Hi;

 

For the security events that can be seen in the GUI by going to Security> Events > Application > Requests, these events are shown in realtime and they go back in time by about half hour.

 

My question is: Can this half hour interval be increased?

 

Kindly

Wasfi

  • Hi Wasfi,

     

    quoting from K37655278: By default, the local log storage is finite with a maximum capacity of 3 million records stored across all BIG-IP ASM security policies and a maximum database table size of 2 GB on virtual systems and 5 GB on physical systems.

     

    Changing this default value is not a good idea, it will have impact on the overall performance of the system.

    The local logs are meant to identify and easily correlate events going on "right now" or in the past couple of hours. Any historical log info should be saved in and retrieved from a SIEM like Splunk or ELK Stack.

    You can check what types of events you are logging. Maybe you configured a log profile that is logging all events instead of violations only. By changing this you can increase the time you can search backwards.

    Also, the database is not only limited to 2 GB but also to 3 millions records. If you reach the 3 million records first, increasing the DB size to 4 or 5 GB won't help.

     

    KR

    Daniel

     

1 Reply

  • Hi Wasfi,

     

    quoting from K37655278: By default, the local log storage is finite with a maximum capacity of 3 million records stored across all BIG-IP ASM security policies and a maximum database table size of 2 GB on virtual systems and 5 GB on physical systems.

     

    Changing this default value is not a good idea, it will have impact on the overall performance of the system.

    The local logs are meant to identify and easily correlate events going on "right now" or in the past couple of hours. Any historical log info should be saved in and retrieved from a SIEM like Splunk or ELK Stack.

    You can check what types of events you are logging. Maybe you configured a log profile that is logging all events instead of violations only. By changing this you can increase the time you can search backwards.

    Also, the database is not only limited to 2 GB but also to 3 millions records. If you reach the 3 million records first, increasing the DB size to 4 or 5 GB won't help.

     

    KR

    Daniel