ASM Logging

Hello Tzoori,

 

Is it possible to change/reduce these values ? If yes how because I didn't find any doc. about it (ASM v12.1.2)

 

For example, to pass the ASM log DB size from 2GB to 1GB and the 3 Million to 1.5 Million ?

 

Thanks

 

Hello MSZ,

 

If running ASM v11.6+ you'll need to enable logging per SOL16053: BIG-IP ASM does not log security events locally by default in 11.6.0

 

For details on setting up ASM logging profiles I recommend John Wagnon's DevCentral article The BIG-IP Application Security Manager Part 10: Event Logging

 

Here's an example from my lab of the ASM logging an illegal Request violation using a URI with /%

 

Oct 18 09:22:34 bigipVE-25 crit perl[28921]: 01310038:2: [SECEV] Request violations: Evasion technique detected. HTTP protocol compliance sub violations: N/A. Evasion techniques sub violations: N/A. Web services security sub violations: Bad unescape. Virus name: N/A. Support id: 13697844613363007900, source ip: 192.168.100.143, xff ip: N/A, source port: 60132, destination ip: 192.168.201.140, destination port: 80, route_domain: 0, HTTP classifier: /Common/SSOPRD-RP, scheme HTTP, geographic location: , request: , username: , session_id: <59f78b16fc9d332>, violation_rate: 1

Beginning in BIG-IP ASM 11.6.0, security events are no longer logged to the /var/log/asm file by default. Prior to this version asm security events also logged to /var/log/asm.

Hi Vitaliy, Can you please share some document which helps me to understand the working of ASM? I will be very thankful to you.