Forum Discussion

clazba's avatar
clazba
Icon for Nimbostratus rankNimbostratus
Nov 01, 2012

Disabling local logging on ASM

 

Hi,

 

 

I am having a few issues correctly configuring remote logging ( or rather completely disabling local logging) for ASM and was hoping someone here could point me in the right direction.

 

 

I have created a ‘remote only’ logging profile (no local storage) for illegal requests only and applied it to the policy – screenshots attached ­- so far so good, I can tail /var/log/syslog on the remote server and see illegal reqs being logged as intended.

 

 

Now that I have remote logging working fine I want to completely disable local logging to /var/log/asm to minimize disk I/O as we believe this might be causing performance degradation for a customer – I understand this should be achievable by unticking the ‘alarm’ box relative to the violation in the blocking mask and SOL11645 seems to be confirming this:

 

 

If both the Learn and Alarm flags are disabled for a certain violation, requests that trigger that violation are not logged by the system to the /var/log/asm file. These requests are logged to only the Reporting/Requests screen or, if the logging profile for the web application specifies a remote storage type, to the remote server.

 

 

However, in my tests, this doesn’t seem to work as per the solution article– if I enable Learn and Alarm in the blocking mask Illegal Requests are logged to both remote syslog and /var/log/asm, I I disable Learn and Alarm in the blocking mask Illegal Requests do not get logged at all – neither remote syslog or locally.

 

 

Is there another way to completely disable local logging (/var/log/asm) or am I missing something here?

 

 

Thanks in advance for any insight ..

 

APM
app sec
security

4 Replies

Sort By
  • clazba's avatar
    clazba
    Icon for Nimbostratus rankNimbostratus
    Nov 01, 2012
    Posted By clazba on 11/01/2012 07:18 AM

     

     

    Hi,

     

     

    I am having a few issues correctly configuring remote logging ( or rather completely disabling local logging) for ASM and was hoping someone here could point me in the right direction.

     

     

    I have created a ‘remote only’ logging profile (no local storage) for illegal requests only and applied it to the policy – screenshots attached ­- so far so good, I can tail /var/log/syslog on the remote server and see illegal reqs being logged as intended.

     

     

    Now that I have remote logging working fine I want to completely disable local logging to /var/log/asm to minimize disk I/O as we believe this might be causing performance degradation for a customer – I understand this should be achievable by unticking the ‘alarm’ box relative to the violation in the blocking mask and SOL11645 seems to be confirming this:

     

     

    If both the Learn and Alarm flags are disabled for a certain violation, requests that trigger that violation are not logged by the system to the /var/log/asm file. These requests are logged to only the Reporting/Requests screen or, if the logging profile for the web application specifies a remote storage type, to the remote server.

     

     

    However, in my tests, this doesn’t seem to work as per the solution article– if I enable Learn and Alarm in the blocking mask Illegal Requests are logged to both remote syslog and /var/log/asm, I I disable Learn and Alarm in the blocking mask Illegal Requests do not get logged at all – neither remote syslog or locally.

     

     

    Is there another way to completely disable local logging (/var/log/asm) or am I missing something here?

     

     

    Thanks in advance for any insight ..

     

     

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Nov 02, 2012
    You could remove the part of the syslog-ng configuration that logs to /var/log/asm:

     

     

    File is located at /etc/syslog-ng/syslog-ng.conf

     

     

    -------------------------------------------

     

     

    local3.* /var/log/asm

     

    filter f_local3 {

     

    facility(local3);

     

    };

     

     

    destination d_asm {

     

    file("/var/log/asm" create_dirs(yes));

     

    };

     

     

    log {

     

    source(s_syslog_pipe);

     

    filter(f_local3);

     

    destination(d_asm);

     

    };

     

     

    ---------------------------------------------

     

     

    Use vi to remove the relevant configuration, then save the file and reload syslog-ng (bigstart restart syslog-ng)
  • clazba's avatar
    clazba
    Icon for Nimbostratus rankNimbostratus
    Nov 04, 2012
    Thanks Cory that was very helpful indeed -- rather than modifying syslog-ng.conf manually and remove those entries i simply changed the destination for d_asm to my syslog server with tmsh- this alone seemed to do the trick >>

     

     

    1.tmsh> edit sys syslog

     

     

    2.

     

    modify syslog {

     

    include "

     

    destination d_asm {

     

    udp(\"192.168.1.202\" port(514));

     

    };

     

    "

     

    }

     

  • Cory_50405's avatar
    Cory_50405
    Icon for Noctilucent rankNoctilucent
    Nov 06, 2012
    That's actually a better way to do it. Doing it through tmsh ensures that the configuration will remain if you upgrade your device in the future. Had you done it the way I suggested, your modifications would have been lost when upgraded.