I want to implement the session tracking feature in the ASM by setting a session threshold. To determine this threshold I wanted to know how the ASM maintains state information. Is it through the TS cookie (Main ASM cookie) ? I see a session id in the event logs for ASM. Can I expose this session id to remote log server through an iRule for any violations ? This would help me calculate my threshold. Or should this be done through the Main ASM cookie ?
Yes, ASM maintains state information with the Main ASM Cookie, the TS Cookie, and this is tied to the sessionID you see in the event logs.
I do not believe the sessionID itself is exposed via an irule however (see the page on ASM::violation_data), however, you should simply get this information logged remotely anyway when you use remote logging, without needing to extract it within an iRule.
Have a look at this manual on Logging Application Security Events.