cancel
Showing results for 
Search instead for 
Did you mean: 

Can I extend the time of advanced WAF security events shown

Wasfi_Bounni
Cirrostratus
Cirrostratus

Hi;

 

For the security events that can be seen in the GUI by going to Security> Events > Application > Requests, these events are shown in realtime and they go back in time by about half hour.

 

My question is: Can this half hour interval be increased?

 

Kindly

Wasfi

1 ACCEPTED SOLUTION

Hi Wasfi,

 

quoting from K37655278: By default, the local log storage is finite with a maximum capacity of 3 million records stored across all BIG-IP ASM security policies and a maximum database table size of 2 GB on virtual systems and 5 GB on physical systems.

 

Changing this default value is not a good idea, it will have impact on the overall performance of the system.

The local logs are meant to identify and easily correlate events going on "right now" or in the past couple of hours. Any historical log info should be saved in and retrieved from a SIEM like Splunk or ELK Stack.

You can check what types of events you are logging. Maybe you configured a log profile that is logging all events instead of violations only. By changing this you can increase the time you can search backwards.

Also, the database is not only limited to 2 GB but also to 3 millions records. If you reach the 3 million records first, increasing the DB size to 4 or 5 GB won't help.

 

KR

Daniel

 

View solution in original post

1 REPLY 1

Hi Wasfi,

 

quoting from K37655278: By default, the local log storage is finite with a maximum capacity of 3 million records stored across all BIG-IP ASM security policies and a maximum database table size of 2 GB on virtual systems and 5 GB on physical systems.

 

Changing this default value is not a good idea, it will have impact on the overall performance of the system.

The local logs are meant to identify and easily correlate events going on "right now" or in the past couple of hours. Any historical log info should be saved in and retrieved from a SIEM like Splunk or ELK Stack.

You can check what types of events you are logging. Maybe you configured a log profile that is logging all events instead of violations only. By changing this you can increase the time you can search backwards.

Also, the database is not only limited to 2 GB but also to 3 millions records. If you reach the 3 million records first, increasing the DB size to 4 or 5 GB won't help.

 

KR

Daniel