Forum Discussion

Lukasz_01_15307's avatar
Lukasz_01_15307
Icon for Nimbostratus rankNimbostratus
Jan 26, 2016

ASM syslogs vs blocked request logs?

Hello!

 

We recently deployed ASM into the blocking mode. From time to time we still get support IDs from our users when ASM blocks a legitimate request. We usually deal with it by just going to ASM logs using GUI, search for the support ID and "learn". Recently we started receiving some support IDs that we can't find when searching through GUI.

 

We are running asm 11.6 with send_content_events set to 0 and using default "log illegal requests" profile with only local logging enabled.

 

My understanding is that with send_content_events set to 0 nothing is going to be logged locally, even if only local logging is enabled.

 

Am I understanding this correctly? if yes, why I can still see new logs coming in when I go to logging tab in ASM? If not, are there two types of logs for ASM? one to log requests and some kind of generic logging profile?

 

How can we respond to all support IDs when only local logging is available?

 

Can you point me in the right direction, where I can get some more information on ASM logging methods?

 

Thanks!

 

  • send_content_events is only concerning logging to

    /var/log/asm
    on the device.

    ASM event logs in the GUI should continue to work as configured in the logging profile if you have specified.

    ASM local event log files are cycled after 3,000,000 records, or 2GB of disk usage, so this could explain why you don't see some support IDs in the database, particularly if a long time has passed since the support ID was generated.

    For this reason, it is often advisable to use a remote logging server to store logs more extensively (it also helps to reduce load on the ASM).

  • BinaryCanary_19's avatar
    BinaryCanary_19
    Historic F5 Account

    send_content_events is only concerning logging to

    /var/log/asm
    on the device.

    ASM event logs in the GUI should continue to work as configured in the logging profile if you have specified.

    ASM local event log files are cycled after 3,000,000 records, or 2GB of disk usage, so this could explain why you don't see some support IDs in the database, particularly if a long time has passed since the support ID was generated.

    For this reason, it is often advisable to use a remote logging server to store logs more extensively (it also helps to reduce load on the ASM).