BIG IP ASM Reporting

Question

Is there anyone who can brief the behavior of charts and the statistics behind them?&nbsp;
For Example: &nbsp;
Security --&gt; Reporting --&gt; Application --&gt; Chart
view by "Request Type"
Then the output will be displayed there.
Say: Legal = 100
     Alarmed = 50
     Blocked = 20
     Drop = 10&nbsp;
Click on "view requests" at the right bottom.&nbsp;
It will show the events:&nbsp;
These events will be much less than the above figures.&nbsp;

chris_grant · Answer

Please be aware that the ASM has a limited amount of room for logging events. As a result any report that shows you events will of necessity be a subset of the overall numbers. So if your report says that you have blocked 2500 requests, you may only have 20 of those in the event logs. Having said that if the number really is only 20, you should open a case and have support check to ensure that your system is logging properly.

jaiadityasingla · Answer

By default, logs are stored locally. The Local Storage check box is selected and cannot be cleared unless you enable Remote Storage to store logs remotely. This prevents you from creating a logging profile that does not log any traffic.&nbsp;
To store logs locally only, leave the Local Storage check box selected.&nbsp;
To store logs remotely, select the Remote Storage check box.&nbsp;
To store logs both places, select both check boxes.
Optional for local logging: To ensure that the system logs requests for the security policy, even when the logging utility is competing for system resources, select the Guarantee Local Logging check box.
From the Response Logging list, select one of the following options.&nbsp;
By default, the system logs the first 10000 bytes of responses, up to 10 responses per second. You can change the limits by using the response logging system variables.
By default, the system logs all requests. To limit the type of requests that the system or server logs, set up the Storage Filter.&nbsp;
If setting up local event logging only, click Finished. To set up remote logging, continue to set up remote logging.&nbsp;
When you store the logs locally, the logging utility may compete for system resources. Using the Guarantee Logging setting ensures that the system logs the requests in this situation but may result in a performance reduction in high-volume traffic applications.&nbsp;
Hence its always recommend to have remote logging, best practice say use ArcSight, Eventlog Analyzer (mostly freeware available e;g ManageEngine log Analyzer) or you can user checkpoint logger.&nbsp;
Cheers ...
Jai&nbsp;
I Hope it helps!!&nbsp;

msz · Answer

Please follow these steps on your device.
Go to
Security --&gt; Reporting --&gt; Application --&gt; Chart 
view by "Request Type"  ++ Time Period [Last Day]

Then the output will be displayed there in the form of Chart with the following table:

Legal = [xxxx]
 Alarmed = [yyyyy]
Blocked = [zzzz]
ovaerall = [aaaa]

Note the Total of Alarmed + Blocked Requests = yyyy + zzzz

Click on the "view requests" just right below corner of the table.
You will see the event logs which are less than the above value.

binarycanary_19 · Answer

Could you share some screenshots of this?

Forum Discussion

BIG IP ASM Reporting

4 Replies

Recent Discussions

F5Access | MacOS Sonoma

Overwriting or adding LTM SSL Traffic cert and key using iControlREST

Enabling AVR and creating Profiles

Get associated pool name from VIP IP using F5-LTM

Disacard SSL::cert mode to ignore when default SSLClient profile is set to request or require

Related Content

Re: BigIP Report

Generating irule logs, emails and reports for Shadow API Endpoints on the F5 BIG-IP AWAF/ASM device

Big-IP Reporting? Vserver traffic stats, etc.?

BigIP Report Old

External Reporting with BIG-IP ASM