Converse agora com nosso suporte
Chat com o suporte

syslog-ng Store Box 6.0.5 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB Glossary

Elements of the main workspace

The main workspace displays the configuration settings related to the selected main menu item.

Figure 18: Main workspace

  • Commit Each page includes one or more blue action buttons. The most common action button is the Commit, which saves and activates the changes of the page.

  • / Show/Hide Details: Displays or hides additional configuration settings and options.

  • Create entry: Create a new row or entry (for example, an IP address or a policy).

  • Delete entry: Delete a row or an entry (for example, an IP address or a policy).

  • , Open/collapse lists: Open or close a list of options (for example, the list of available reports).

  • Modify entries or upload files: Edit an entry (for example, a host key, a list, and so on), or upload a file (for example a private key). These actions open a popup window where the actual modification can be performed.

  • , Position an item in a list: Modify the order of items in a list. The order of items in a list (for example, the order of log paths) is important. For example, when SSB evaluates log paths, it looks at the log paths in descending order.

Message window: This popup window displays the responses of SSB to the user's actions, for example Configuration saved successfully. Error messages are also displayed here. All messages are included in the system log. For detailed system logs (including message history), see the Troubleshooting tab of the Basic menu. To make the window appear only for failed actions, navigate to User menu > Preferences and enable the Autoclose successful commit messages option.

Figure 19: Message window

Multiple web users and locking

Multiple administrators can access the SSB web interface simultaneously, but only one of them can modify the configuration. This means that the configuration of SSB is automatically locked when the first administrator who can modify the configuration accesses a configuration page (for example, the Basic Settings, AAA, or Logs menu). The username and IP address of the administrator locking the configuration is displayed in the System Monitor field. Other administrators must wait until the locking administrator logs out, navigates to a page that is not concerned with modifying the configuration (for example, the Search page), or the session of the administrator times out. However, it is possible to access the Search and Reporting menus, or browse the configuration with only View rights (for details, see Managing user rights and usergroups).

 NOTE:

If an administrator logs in to SSB using the local console or a remote SSH connection, access via the web interface is completely blocked. Inactive local and SSH connections time out just like web connections. For details, see Accessing the SSB console.

Web interface and RPC API settings

SSB prevents brute force attacks when logging in. If you repeatedly try logging in to SSB using incorrect login details within a short period of time (10 times within 60 seconds), the source IP gets blocked on UI destination port 443 for 5 minutes. Your browser displays an Unable to connect page.

By default, SSB terminates the web session of a user after ten minutes of inactivity. To change this timeout value, adjust the Basic Settings > Management > Web interface and RPC API settings > Session timeout option.

In addition to controlling the web session timeout value, you can also specify the cipher suites to be permitted in the HTTPS connection.

The Basic Settings > Management > Web interface and RPC API settings > Cipher suite option allows you to choose the strength of the allowed cipher suites using one of the following options:

  • Compatible: It is a large set of cipher suites determined by the following cipher string:

    ALL:!aNULL:!eNULL

    The Compatible setting may allow permitting (and hence not safe) cipher suites for the Transport Layer Security (TLS) negotiations.

  • Secure: A smaller and more strict set of cipher suites where vulnerable cryptographic algorithms are eliminated. This cipher suite set is determined by the following cipher string:

    HIGH:!COMPLEMENTOFDEFAULT:!aNULL:!eNULL:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!AES128-SHA:!AES256-SHA

Figure 20: Basic Settings > Management > Web interface and RPC API settings — Set session timeout and Cipher suite

Network settings

The Basic Settings > Network tab contains the network interface and naming settings of SSB.

Figure 21: Basic Settings > Network — Network settings

  • External interface: The Address and Netmask of the SSB network interface that receives client connections. Click the and icons to add new alias IP addresses (also called alias interfaces) or delete existing ones. At least one external interface must be configured. If the management interface is disabled, the SSB web interface can be accessed via the external interface. When multiple external interfaces are configured, the first one refers to the physical network interface, all others are alias interfaces. The SSB web interface can be accessed from all external interfaces (if no management interface is configured).

    Optionally, you can enable access to the SSB web interface even if the management interface is configured by activating the Management enabled function.

    		 Caution:

    If you enable management access on an interface and configure alias IP address(es) on the same interface, SSB will accept management connections only on the original address of the interface.

    		 NOTE:

    Do not use IP addresses that fall into the following ranges:

    • 1.2.0.0/16 (reserved for communication between SSB cluster nodes)

    • 127.0.0.0/8 (localhost IP addresses)

    		 NOTE:

    The speed of the interface is displayed for every interface. In SSB version 4 F5 and later, you cannot manually change the speed of the interface.

    On SSB T-10 appliances, if both the 1Gbit (label 1) and 10Gbit (label A) interfaces are plugged in, SSB displays the auto-detected speed of the interface where Ethernet link is detected (that is, the cable is plugged in, and the other side is powered on).

    When SSB is deployed in a virtual environment and only a single network interface is configured, then that interface starts to serve as the management interface. In such cases, the Management enabled function becomes redundant and is replaced with a message informing the user that access to the web interface and the RPC API is enabled on every configured IP address.

    Figure 22: Basic Settings > Network — Management enabled on every configured IP address

  • Management interface: The Address and Netmask of the SSB network interface used to access the SSB web interface. If the management interface is configured, the web interface can be accessed only via this interface, unless:

    • Access from other interfaces is explicitly enabled.

    • Only one network interface has been defined, which then serves as the management interface.

    		 NOTE:

    Do not use IP addresses that fall into the following ranges:

    • 1.2.0.0/16 (reserved for communication between SSB cluster nodes)

    • 127.0.0.0/8 (localhost IP addresses)

  • Interfaces > Routing table: When sending a packet to a remote network, SSB consults the routing table to determine the path it should be sent. If there is no information in the routing table then the packet is sent to the default gateway.

    Use the routing table to define static routes to specific hosts or networks. You have to use the routing table if the internal interface is connected to multiple subnets, because the default gateway is (usually) towards the external interface. Click the and icons to add new routes or delete existing ones. A route means that messages sent to the Address/Netmask network should be delivered to Gateway. An option is also provided to override the default behavior of always routing outgoing packets based on the destination address and instead reply on the interface of the incoming packets.

    For detailed examples, see Configuring the routing table.

  • Naming > Hostname: Name of the machine running SSB.

  • Naming > Nick name: The nickname of SSB. Use it to distinguish the devices. It is displayed in the core and boot login shells.

  • Naming > DNS search domain: Name of the domain used on the network. When resolving the domain names of the audited connections, SSB will use this domain to resolve the target hostname if the appended domain entry of a target address is empty.

  • Naming > Primary DNS server: IP address of the name server used for domain name resolution.

  • Naming > Secondary DNS server: IP address of the name server used for domain name resolution if the primary server is unaccessible.

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação