Forum Discussion

3 Replies

  • ASM will locally hold up to 3 Million log entries, or 2 GB of data in its internal MySQL database, whichever comes first.

     

    You shouldn't really mess with these settings as they are fine-tuned by F5 for optimal ASM performance. Remember that ASM is a security device and not a logging device. The built-in on-device logging is best used only for troubleshooting and short-term forensics, for production/long-term retention you should use an external logging facility such as Splunk etc.

     

    • David_M's avatar
      David_M
      Icon for Cirrostratus rankCirrostratus

      ASM will locally hold up to 3 Million log entries, or 2 GB of data in its internal MySQL database, whichever comes first.

       

      where is this mentioned, I am unable to find these numbers in any docs..! :(

      • samstep's avatar
        samstep
        Icon for Cirrocumulus rankCirrocumulus

        Hi David,

         

        These limits are documented in the BIG-IP ASM Operations Guide

         

        https://support.f5.com/csp/article/K37655278

         

         

         Scroll down to "Violation log in the Configuration utility" to see the text:

         

        By default, the local log storage is finite with a maximum capacity of 3 million records stored across all BIG-IP ASM security policies and a maximum database table size of 2 GB on virtual systems and 5 GB on physical systems.

        Note: In versions prior to BIG-IP 12.1.0, the maximum database size is 2 GB for both virtual and physical systems.

        Log entries are rotated out on a strict age basis. If you log multiple applications locally, it is possible for one application to generate more than its share of messages, filling the log and pushing out entries for other applications before they can be investigated.