Chat now with support
Chat with Support

syslog-ng Store Box 7.4.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Managing local usergroups

You can use local groups to control the privileges of syslog-ng Store Box (SSB)'s local users (that is, who can view and configure what). Groups can be also used to control access to the logfiles available via a shared folder. For details, see Accessing log files across the network.

For the description of built-in groups, see Built-in usergroups of SSB.

Use the AAA > Group Management page to:

  • Create a new usergroup.

  • Display which users belong to a particular local usergroup.

  • Edit group memberships.

To create a new usergroup

  1. Navigate to AAA > Group Management and click .

    Figure 76: AAA > Group Management — Manage local usergroups

  2. Enter a name for the group.

  3. Enter the names of the users belonging to the group. To add more users, click (Add Row).

  4. Click .

    Once you added your usergroups, start assigning privileges to them. For more information, see Assigning privileges to usergroups for the SSB web interface.

Managing SSB users from an LDAP database

The syslog-ng Store Box (SSB) web interface can authenticate users to an external LDAP database to simplify the integration of SSB to your existing infrastructure. You can also specify multiple LDAP servers, if the first server is unavailable, SSB will try to connect to the second server.

As in the case of locally managed users, use groups to control access to the logfiles available via a shared folder. For details, see Accessing log files across the network.

The following describes how to enable LDAP authentication.

NOTE: The admin user is available by default and has all privileges. It is not possible to delete this user.

The admin user can login to SSB even if LDAP authentication is used.

Enabling LDAP authentication automatically disables the access of every local user except for admin.

SSB accepts both pre-win2000-style and Win2003-style account names (User Principal Names). User Principal Names (UPNs) consist of a username, the at (@) character, and a domain name, for example administrator@example.com.

The following characters cannot be used in usernames and group names: <>\/[]:;|=,+*)?@"

When using RADIUS authentication together with LDAP users, the users are authenticated to the RADIUS server, only their group memberships must be managed in LDAP. For details, see Authenticating users to a RADIUS server.

When using OpenID Connect authentication together with local users, the users are authenticated via OpenID Connect, only their group memberships must be managed locally on SSB. For details, see Authenticating users via OpenID Connect.

Caution:

A user can belong to a maximum of 10,000 groups, further groups are ignored.

Caution:

By default, SSB uses nested groups when querying the LDAP server. Nested groups are mostly useful when authenticating the users to Microsoft Active Directory, but can slow down the query and cause the connection to time out if the LDAP tree is very large. In this case, disable the Enable nested groups option.

To enable LDAP authentication

  1. Navigate to AAA > Settings > Authentication settings.

  2. Select the LDAP option and enter the parameters of your LDAP server.

    Figure 77: AAA > Settings > User database — Configure LDAP authentication

    1. Enter the IP address or hostname and port of the LDAP server into the Server Address field. If you want to encrypt the communication between SSB and the LDAP server, in case of SSL/TLS, enter 636 as the port number, or in case of STARTTLS, enter 389 as the port number.

      To add multiple servers, click and enter the address of the next server. If a server is unreachable, SSB will try to connect to the next server in the list in failover fashion.

      Caution:

      If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example ldap.example.com) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

    2. Enter the name of the DN to be used as the base of the queries into the Base DN field (for example, DC=demodomain,DC=exampleinc).

    3. Enter the name of the DN where SSB should bind to before accessing the database into the Bind DN field.

      For example: CN=Administrator,CN=Users,DC=demodomain,DC=exampleinc.

      NOTE: SSB accepts both pre-win2000-style and Win2003-style account names (User Principal Names), for example, administrator@example.com is also accepted.

      NOTE: Do not use sAMAccountName, as the bind DN expects a CN.

    4. Enter the password to use when binding to the LDAP server into the Bind Password field.

      NOTE: The syslog-ng Store Box (SSB) appliance accepts passwords that are not longer than 150 characters. The following special characters can be used:

      ! " # $ % & ' ( ) * + , - . / : ; < > = ? @ [ ] ^ - ` { | } \ _ ~
    5. Select the type of your LDAP server in the Type field. Select Active Directory to connect to Microsoft Active Directory servers, or Posix to connect to servers that use the POSIX LDAP scheme.

  3. If you want to encrypt the communication between SSB and the LDAP server, in Encryption, select the SSL/TLS or the STARTTLS option and complete the following steps:

    NOTE:

    TLS-encrypted connection to Microsoft Active Directory is supported only on Windows 2003 Server and newer platforms. Windows 2000 Server is not supported.

    • If you want SSB to verify the certificate of the server, leave Only accept certificates authenticated by the specified CA certificate selected and click the icon in the CA X.509 certificate field. A popup window is displayed.

      Click Browse, select the certificate of the Certificate Authority (CA) that issued the certificate of the LDAP server, then click Upload. Alternatively, you can paste the certificate into the Copy-paste field and click Set.

      SSB will use this CA certificate to verify the certificate of the server, and reject the connections if the verification fails.

      Caution:

      If you will use a TLS-encrypted with certificate verification to connect to the LDAP server, use the full domain name (for example, ldap.example.com) in the Server Address field, otherwise the certificate verification might fail. The name of the LDAP server must appear in the Common Name of the certificate.

    • If the LDAP server requires mutual authentication, that is, it expects a certificate from SSB, enable Authenticate as client. Generate and sign a certificate for SSB, then click in the Client X.509 certificate field to upload the certificate. After that, click in the Client key field and upload the private key corresponding to the certificate.

    SSB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.

    One Identity recommends:

    • Using 2048-bit RSA keys (or stronger).

    • Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.

  4. (Optional) If your LDAP server uses a custom POSIX LDAP scheme, you might need to set which LDAP attributes store the username, or the attributes that set group memberships. For example, if your LDAP scheme does not use the uid attribute to store the usernames, set the Username (userid) attribute name option. You can customize group-membership attributes using the POSIX group membership attribute name and GroupOfUniqueNames membership attribute name options.
  5. Click .

    NOTE: You must also configure the usergroups in SSB and possibly in your LDAP database. For more information, see How to use usergroups.

  6. To test the connection, click Test.

    NOTE: SSB does not support testing SSL-encrypted connections.

Authenticating users to a RADIUS server

The syslog-ng Store Box (SSB) appliance can authenticate its users to an external RADIUS server. Group memberships of the user is based on the username, and it must be managed in the configured user database.

Caution:

The challenge/response authentication methods is currently not supported. Other authentication methods (for example, password, SecureID) should work.

To authenticate SSB users to a RADIUS server

  1. Navigate to AAA > Settings.

    Figure 78: AAA > Settings — Configuring RADIUS authentication

  2. Set the Authentication method field to RADIUS.

  3. Enter the IP address or domain name of the RADIUS server into the Address field.

  4. Enter the password that SSB can use to access the server into the Shared secret field.

    NOTE: The syslog-ng Store Box (SSB) appliance accepts passwords that are not longer than 150 characters. The following special characters can be used:

    ! " # $ % & ' ( ) * + , - . / : ; < > = ? @ [ ] ^ - ` { | } \ _ ~
  5. To add more RADIUS servers, click and repeat Steps 2-4.

    Repeat this step to add multiple servers. If a server is unreachable, SSB will try to connect to the next server in the list in failover fashion.

  6. NOTE: The password-related settings under Password settings for root, admin and local users are effective for local non-admin users only if password authentication method and local user database is configured. These settings are always effective for the local administrator (default admin user) regardless of configuration. Local administrators always use local password authentication.

  7. Caution: After clicking and changing to the new authentication method, the following will happen:

    • Users who are logged in at the time of the change will not have to reauthenticate themselves.

    • Users who log in after the change will have to authenticate against the new authentication method.

    • The default admin account of SSB can log in using the local password authentication method, even if the provider of the non-local authentication method is inaccessible.

    Click .

Authenticating users via OpenID Connect

The syslog-ng Store Box (SSB) appliance can authenticate its users to an external OpenID Connect server. Group memberships of the user is based on the username, and it must be managed in the configured user database.

To authenticate SSB users to an OpenID Connect server

  1. Navigate to AAA > Settings.

    Figure 79: AAA > Settings — Configuring OpenID Connect authentication

  2. Set the Authentication method field to OpenID Connection.

  3. In the Provider URL field, enter the URL of the OpenID Connect server.

  4. In the Client ID field, enter the client ID that identifies your SSB to the OpenID Connect server.

  5. Select the client authentication mode from the Client authentication radio buttons.

  6. If you use Basic client authentication mode, enter the client secret corresponding to the Client ID into the Client secret field.

    NOTE: The syslog-ng Store Box (SSB) appliance accepts passwords that are not longer than 150 characters. The following special characters can be used:

    ! " # $ % & ' ( ) * + , - . / : ; < > = ? @ [ ] ^ - ` { | } \ _ ~
  7. (Optional) Enable Use proxy and enter the proxy address you want to use into the Proxy address field.

    NOTE: If you have to use a proxy, consider that only HTTP proxies are supported.

  8. In the Redirect Login URL field, enter the URL for the OpenID Connect server to redirect to after login.

    NOTE: The default value is https://<SSB IP address>/index.php?_backend=Auth?login=1. The suffix //index.php?_backend=Auth?login=1 is mandatory. Consider that invalid formatting of this field can make the login to the syslog-ng Store Box (SSB) appliance via OpenID Connect impossible.

  9. In the Username claim field, enter the claim to obtain the user name from.

  10. Optional: Enable Always prompt to always force a login to OpenID Connect.

  11. Optional: Enable Logout globally to always force OpenID Connect to log out the user from their global OpenID session.

    Optional: Enter the redirect URL what will be used after logout from OpenID Identity Provider into the Redirect Logout URL field. The default value is a URL based on the IP address of the syslog-ng Store Box. When left unconfigured, the Identity Provider's default sign-in page will be displayed after logging out from SSB.

  12. NOTE: The password-related settings under Password settings for root, admin and local users are effective for local non-admin users only if password authentication method and local user database is configured. These settings are always effective for the local administrator (default admin user) regardless of configuration. Local administrators always use local password authentication.

  13. Caution: After clicking and changing to the new authentication method, the following will happen:

    • Users who are logged in at the time of the change will not have to reauthenticate themselves.

    • Users who log in after the change will have to authenticate against the new authentication method.

    • The default admin account of SSB can log in using the local password authentication method, even if the provider of the non-local authentication method is inaccessible.

    Click .

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating