NimbostratusHello,
I would like to know how what is the default ASM Log buffer size (local storage / f5 system) for Event Logs regarding ASM if you choose the option etc. Log illegal requests? And how long they are stored in the system?
Thanks in advance!
BR
Teemu
CumulonimbusHi,
You have to know that in versions prior to BIG-IP ASM 11.6.0, the system writes security events to the /var/log/asm file by default using syslog.
eginning in BIG-IP ASM 11.6.0, enhancements were introduced to improve system performance and stability. As a result, the system no longer writes security events to syslog by default and it does not log them locally to the /var/log/asm file. You may enable the send_content_events internal parameter to replicate the old behavior. However, F5 recommends leaving it disabled due to a potential decrease in performance.
For more information: https://support.f5.com/csp/article/K16053
In all case I advise you to send your ASM logs to a syslog server. In this case you can manage your logs (retention policy, ...)
Regarding event logs that you can see in GUI, SM will locally hold up to 3 Million log entries, or 2 GB of data, whichever comes first. On device logging is probably best used for troubleshooting and short-term forensics, and an external logging facility is best used for long-term logging.
Fore more info:
https://devcentral.f5.com/questions/asm-request-event-correlation-differencies
Regards