MSZ
Jan 18, 2016Nimbostratus
ASM Logging
Kindly explain the following queries related to the logs:
- What is the default size of the logs file?
- How many days it rotate or compress the logs?
Kindly explain the following queries related to the logs:
ASM will locally hold up to 3 Million log entries, or 2 GB of data, whichever comes first. On device logging is probably best used for troubleshooting and short-term forensics, and an external logging facility is best used for long-term logging.
Hello Tzoori,
Is it possible to change/reduce these values ? If yes how because I didn't find any doc. about it (ASM v12.1.2)
For example, to pass the ASM log DB size from 2GB to 1GB and the 3 Million to 1.5 Million ?
Thanks
Hi,
1. (tmos) list sys log-rotate max-file-size
2. (tmos) list sys db logrotate.logage
Kindly share some article or other information related to the ASM logs which are kept in DB. What about legal requests and illegal requests etc.
Hello MSZ,
 
If running ASM v11.6+ you'll need to enable logging per SOL16053: BIG-IP ASM does not log security events locally by default in 11.6.0
 
For details on setting up ASM logging profiles I recommend John Wagnon's DevCentral article The BIG-IP Application Security Manager Part 10: Event Logging
 
Here's an example from my lab of the ASM logging an illegal Request violation using a URI with /%
 
Oct 18 09:22:34 bigipVE-25 crit perl[28921]: 01310038:2: [SECEV] Request violations: Evasion technique detected. HTTP protocol compliance sub violations: N/A. Evasion techniques sub violations: N/A. Web services security sub violations: Bad unescape. Virus name: N/A. Support id: 13697844613363007900, source ip: 192.168.100.143, xff ip: N/A, source port: 60132, destination ip: 192.168.201.140, destination port: 80, route_domain: 0, HTTP classifier: /Common/SSOPRD-RP, scheme HTTP, geographic location: , request: , username: , session_id: <59f78b16fc9d332>, violation_rate: 1
Hi, These 2 settings do not refer to ASM logs, which are kept in a DB, not a log file.
Why would you want to reduce it? it is not a 'default' size but a maximum one and its limits are defined by the fact that it is stored in mySQL database built-into ASM. I think you might be confusing it with asm.log file on the file system
Hi Tzoori
Are these values (3M entries & 2GB) valid for ASM DOS profile events also?