Hi,
You have to know that in versions prior to BIG-IP ASM 11.6.0, the system writes security events to the /var/log/asm file by default using syslog.
eginning in BIG-IP ASM 11.6.0, enhancements were introduced to improve system performance and stability. As a result, the system no longer writes security events to syslog by default and it does not log them locally to the /var/log/asm file. You may enable the send_content_events internal parameter to replicate the old behavior. However, F5 recommends leaving it disabled due to a potential decrease in performance.
For more information:
https://support.f5.com/csp/article/K16053
In all case I advise you to send your ASM logs to a syslog server. In this case you can manage your logs (retention policy, ...)
Regarding event logs that you can see in GUI, SM will locally hold up to 3 Million log entries, or 2 GB of data, whichever comes first. On device logging is probably best used for troubleshooting and short-term forensics, and an external logging facility is best used for long-term logging.
Fore more info:
https://devcentral.f5.com/questions/asm-request-event-correlation-differencies
https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_monitoring.html?sr=528965261055514
Regards