Nokron
WAF F5
NokronGitLabELK stackWAF F5
WAF F5
NokronGitLabELK stackWAF F5
  • BIG-IP Application Security Manager
    • HTTP Protocol
      • Deep Dive to “HTTP Request” on ASM Module
      • ASM Example: Detecting a Malicious HTTP Request
    • Introduction to OWASP Top-10 Security Risks
    • Application Security Policy Templates in F5 ASM
      • Security Policy Levels
      • Explicit Entities Learning
      • Policy Modification
      • Gradual / Modular Blocking
      • Application Security Policy Lifecycle
      • Security Policy Enforcement Modes
      • Security Policy Violation Flags
      • How to Increase Learning Score / Deployment Speed
      • Comparison: Enforcement Mode, Learning Mode, and Violation Flags
    • Security Entities in Application Security Policy
      • Enforcement Readiness Summary
      • HTTP / HTTPS / WS / WSS URLs
      • Allowed Parameters in Security Policies
      • Allowed File Types in Security Policies
    • Tuning Security Policies: Analyzing and Categorizing Violations
      • Learning Suggestions in Security Policy Tuning
      • Policy Diff: Comparing and Auditing Security Policies
    • IP Address Exception Properties in ASM/AWAF
    • Cross-Site Request Forgery (CSRF) Protection in F5 ASM/AWAF
    • Sensitive Data Masking / Scrubbing (Data Guard) in F5 ASM/AWAF
    • Anti-virus Protection through an ICAP Server in F5 ASM/AWAF
    • Cookies in F5 ASM/AWAF Security
    • Session Tracking and Session Awareness in F5 ASM/AWAF
    • Evasion Technique Detection in F5 ASM/AWAF
    • Important Tips about Security Policy in F5 ASM/AWAF
    • L7 DDoS Attack Protection Configuration
    • TPS-based Attack Vectors and Stress-based Attack Vectors
    • Mitigation Techniques for DoS and Bot Protection
    • Important Tips about Events Logging
    • High-Speed Logging (HSL) Configuration
    • Web Threat Campaigns (v14.0+)
    • IP Intelligence (IPI) Subscription-Based License
    • Geo-IP Database Functionality
    • General Security Standards and WAF Support
    • ASM - Virtual Edition (VE) Tips
    • How to Bypass ASM Module
    • ASM Traffic Processing Daemon (bd)
    • ASM and AAM Integration
  • BIG-IP LTM Technology
    • Source IP Address and PORT Translation in BIG-IP
    • Packet Filters
    • Traffic / Service Profiles in BIG-IP
    • Virtual Servers and Their Behavior with Different Profiles in BIG-IP
      • Detailed Overview of Profiles in BIG-IP LTM
      • Optimizing for Mobile Clients in BIG-IP LTM
      • Connection Mirroring in BIG-IP LTM
      • AVR (Analytics) Profile in BIG-IP LTM
      • Health Monitoring in BIG-IP LTM
      • SSL Profile in BIG-IP LTM
      • Load-balancing Methods in BIG-IP LTM
      • Persistence Profile in BIG-IP
      • CMP vs. SMP in BIG-IP Systems
      • OneConnect Profile in BIG-IP
Powered by GitBook
On this page
  1. BIG-IP Application Security Manager

Important Tips about Events Logging

Effective logging is a critical component of web application security, providing visibility into security events, response actions, and system behaviors. Here are some key tips and important information about logging events within the F5 BIG-IP ASM/AWAF system:

Support ID

  • Definition: A Support ID uniquely identifies each Request/Response pair and associates it with:

    • Local Request Logs: Records for local traffic.

    • Manual Learning Suggestions: Recommendations for policy adjustments or new rules.

    • Remotely Logged Messages: Events logged remotely for external analysis.

  • Function: The Support ID helps in tracing specific requests, analyzing incidents, and troubleshooting issues by linking them to specific logs and actions.

Log Storage Limitations

  • Local Log Storage Capacity:

    • Max Capacity: Up to 3 million records can be stored for all security policies combined.

    • Max Database Table Size: Log data is stored in database tables with a maximum size of 2 GB.

  • Important Considerations:

    • If the log data exceeds these limits, older records may be overwritten, or logs may be truncated.

TCP / UDP Logging

  • UDP Logging:

    • Lower Overhead: UDP offers reduced system load due to its stateless nature.

    • Log Size Limit: Can only log up to 1 KB of data per log entry, which limits the amount of detail captured.

  • TCP Logging:

    • Greater Reliability: TCP is more reliable due to its connection-based nature.

    • Log Size Limit: Allows up to 64 KB of data per log entry, enabling more detailed logs and error tracking.

Log Format Configuration Options (v12.0+)

F5 provides different formats for event logging, which can be configured based on specific needs:

  • Comma-Separated Values (CSV): Standard format, suitable for data analysis and integration with external tools.

  • Key-Value Pairs: Log entries are formatted as key-value pairs, offering flexibility for custom logging needs.

  • Common Event Format (ArcSight): A widely used format for centralized security information management.

  • F5 BIG-IQ Centralized Management: Allows integration with BIG-IQ for managing logs across multiple devices.

What Is Not Backed Up or Synchronized

  • Event Logs: Logs are not backed up or synchronized across devices or blades. Each device maintains its own logs.

  • Reporting/Statistics: These are device-specific and are not replicated or synchronized.

  • Learning Suggestions: Policy learning suggestions are stored locally and are not synchronized between devices.

Important Logging Directories and Files

Several directories and files store logs for various components of the system:

  1. /var/log/asm:

    • Contains critical messages from ASM processes such as the MySQL database, Policy Building Engine, and Enforcer.

  2. /var/log/ts/:

    • Each process has its own log file within this directory, providing detailed logs for different system components.

  3. /var/log/dosl7/dosl7d.log:

    • Logs for the dosl7d process, including Notice-level messages related to L7 DDoS detection.

Logging Rate and Response Limitations

  • Response Logging Rate:

    • By default, the system logs up to 10 responses per second, which can impact performance if logging is too frequent.

    • The default log size is set to 10,000 bytes per response.

    How to Change the Response Log Rate:

    • You can modify the rate limit for logging responses by running the following commands:

      # /usr/share/ts/bin/add_del_internal add response_log_rate_limit <value>
# tmsh restart sys service asm

    • Replace <value> with the desired limit for responses per second.

  • No Content-Type in HTTP Response:

    • If the HTTP response lacks a Content-Type header, the BIG-IP ASM/AWAF system will not log the response. Instead, the system will display the message:

Response was not logged because the system does not support response logging of this content type

Summary of Key Points

  1. Support ID: Helps trace requests and responses, linking them to local logs, learning suggestions, and external logs.

  2. Log Storage: Limits are set at 3 million records and 2 GB for local logs.

  3. Logging Methods: UDP offers low overhead, while TCP provides more reliable and detailed logs.

  4. Log Formats: Various options like CSV, Key-Value Pairs, and Common Event Format are available for integration with external tools.

  5. Non-Synchronized Items: Event logs, reporting/statistics, and learning suggestions are not synchronized between devices.

  6. Logging Directories: Logs are stored in directories like /var/log/asm, /var/log/ts/, and /var/log/dosl7/dosl7d.log for detailed event tracking.

  7. Response Logging Limits: By default, the system logs a maximum of 10 responses per second and the first 10,000 bytes of each response. You can modify this limit using specific commands.

PreviousMitigation Techniques for DoS and Bot ProtectionNextHigh-Speed Logging (HSL) Configuration

Last updated 3 months ago