Nimbostratushi, in 11.4.1 os, I am not able to display the asm logs older than the current day. in the /var/log/asm, I can see the older asm log files in gz format.
is it possible to dispaly those logs through the GUI ?
thanks.
O.
Omar, are you referring to Application Request logs? If so, you can navigate to Security >> Event Logs >> Application >> Requests and see all the details there.
NimbostratusThanks John. yes I was referring to the requets events ... I can't get the logs of the previous days in the GUI, only the current day shoes up...even if the asm logs are present in the var/log folder.
Any hint?
Thanks.
O
NacreousHi Omar, from gui you can see asm logs in current file /var/log/asm. Logs for previouse days are in archive files /var/log/asm.*.gz. You need to make changes to the logrotate.conf and cron according to your needs Sol13367
NimbostratusThanks John.
NimbostratusI have 11.6.0 Security >> Event Logs >> Application >> Requests
It will display the events of those policies which are in "Blocking" mode and their Signature staging is "Disabled".
Blocked Request: It means ASM blocked the request
Illegal Request: It is illegal (But whether it is pass or disallow by ASM)
Truncated Request: It means request is too large to handle (Should we increase the length?)
Please guide me in the above details
NimbostratusIllegal Request: It is illegal (But whether it is pass or disallow by ASM) <-- it is passed to the server, that is the big difference between blocked and illegal. they both violate the policy but only the the blocked ones are stopped. illegal ones are only logged but passed to the server.
You are using Blocked keyword in Illegal request. That's why I am confusing on it. What I understand is that Illegal requests are allowed to pass through the ASM but they are illegal and we have to investigate them as per our requirement. Only focused on Illegal requests.
NimbostratusIf a Signature staging is enabled then it is possible to see the events log of that policy.
Because I am seeing the logs in: (They are few but appearing) Security >> Event Logs >> Application >> Requests
In this case Blocked request will be considered blocked even signature staging is enabled.
NimbostratusDear Don't bother, but in my case I am able to see the events logs even signature staging is enabled. But inside the signature options we have selected some signatures as Learn, Alarm and Block.
NimbostratusThanks alot Nathan. I got it.
It means Signatures staging only valid for Attack signatures.
It means Illegal requests are also concerned with RFC violations. These will also considered blocked or pass through the ASM.
