Forum Discussion

MEmin's avatar
MEmin
Icon for Nimbostratus rankNimbostratus
Apr 05, 2016

ASM Request - Event Correlation Differencies

Hi, I want to learn what are the differencies about :

 

ASM -> Event Logs -> Application -> Requests

 

ASM -> Event Logs -> Application -> Event Correlation

 

Actually i couldn't see all requests from "Requests" ie; i could see from "Event Correlation" but i couldn't see those logs from "Requests" are they different? where can i see event correlations log line from the device. Thanks.

 

5 Replies

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account

    Request Log can get cycled through if you are having a high rate of traffic, or it's been a long time since the correlation event was logged, or the related events might have been cleared (deleted) manually. Local logging is also not guaranteed by default and could fall through if the system is otherwise busy, but this rarely happens unless on very busy boxes.

     

    By default, at about 2GB of disk usage, older events will start to be deleted, and also at 3 million records, whichever one is reached first. These limits can take ages on a device in the lab, but easily take half a day on a busy production site. Local logging is meant for quick troubleshooting only and for anything more extensive, you should have off-box logging (many logging destinations are supported).

     

    It might help to go through the manual as well: https://support.f5.com/kb/en-us/products/big-ip_asm/manuals/product/asm-config-11-2-0/asm_monitoring.html?sr=528965261055514

     

    • MEmin's avatar
      MEmin
      Icon for Nimbostratus rankNimbostratus
      Thanks FKnuckles. I want to get strict my dos profile but concern about false/positives. Do you have any suggestions for the connections as shown the below? Open Connections: 170-200 Tp: 2-3 mbps Rate Limitings are at default values. ie: TPS increased by: 500% and reached at least 40 transactions per second OR TPS reached: 200 Thanks for your support
    • BinaryCanary_19's avatar
      BinaryCanary_19
      Historic F5 Account
      open connections is not necessarily related. Look for information about average HTTP request per second and base your thresholds on that. Note the distinction between "Site-wide" and "Per-IP" and "Per-URL". Per-IP should be low, in my view, for anything that is not a Proxy (you might want to look into X-forwarded-for), you really shouldn't expect more than 2 requests per second from that IP on average. If it's a proxy, and you can trust it's X-FF header, then you can configure a low threshold per-IP. Per-URL is an aggregation of all IPs accessing that URL, and so you want to see how many users on average make requests to busiest URL at peak, and make your per-URL threshold is around that value. Site-wide is an aggregate of all traffic being handled by that policy and you want to set a treshold that allows legitimate traffic through. The "TPS Reached" is an absolute hard-line above which the system treats it as an attack, and starts applying mitigation. If you know that your site should never have more than 200 requests per second, then yes, set that value to 200, otherwise, adjust it to fit your needs.
    • Jad_Tabbara__J1's avatar
      Jad_Tabbara__J1
      Icon for Cirrostratus rankCirrostratus

      Hello BinaryCanary,

       

      Is it possible to change/reduce these values ? If yes how because I didn't find any doc. about it (ASM v12.1.2)

       

      For example, to pass the ASM log DB size from 2GB to 1GB and the 3 Million to 1.5 Million ?

       

      Thanks

       

  • BinaryCanary,

     

    A question about the "Site Wide" parameter on the DoS profile. If I have a policy which is shared across 50 virtual servers, will the site wide settings be separated out for each virtual server. My concern is about different virtual servers taking different amounts of load such that static thresholds may cause issues for some sights. My other concern I guess on virtual servers sharing dos profiles is that I can only define one set of thresholds, so maybe this is a moot point.

     

    I believe the answer to the first is yes, and nothing can be done about the second forcing individual dos profiles per virtual server. Am I correct in my thought process?

     

    Thanks