syslog-ng Store Box 7.0.4 LTS

Processed Timestamp: The date when syslog-ng Store Box(SSB) received the log message in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.
Timestamp: The time stamp received in the message — the time when the log message was created in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.
Facility: The facility that sent the message.
Priority: The priority value of the message.
Program: The application that created the message.
Pid: The program identifier of the application that created the message.
Host: The IP address or hostname of the client that sent the message to SSB.
Message: The text of the log message.
Tag: Tags assigned to the message matching certain pattern database rules.
Id: Unique ID of the message.
classifier.rule_id: ID of the pattern database rule that matched the message.
classifier.class: Description of the pattern database rule that matched the message.
Dynamic columns, created from additional name-value pairs, might also be available.

Using complex search queries

Searching log messages > Using the search interface > Using complex search queries

You can use wildcards and boolean expressions, and search specific parts of the log messages collected on syslog-ng Store Box(SSB).

NOTE: When searching log messages, the capabilities of the search engine depend on the delimiters used to index the particular logspace. By default, the indexer uses the following delimiter characters to separate the message into words (tokens): & : ~ ? ! [ ] = , ; ( ) ' ". For details on how to configure the delimiters used for indexing, see Creating logstores in the Administration Guide.

The following sections provide examples for different search queries:

For examples of exact matches, see Searching for exact matches and using complex queries.
For examples of using boolean operators to combine search keywords, see Combining search keywords.
For examples of wildcard searches, see Using wildcard searches.
For examples of searching for special characters, see Searching for special characters.
For examples of searching in a specific part of the message, see Searching in a specific part of the message.
For examples of searching name-value pairs, see Searching the name-value pairs of the message.

Searching for exact matches and using complex queries

By default, SSB searches for keywords as whole words in the MESSAGE part of the log message and returns only exact matches.

Combining search keywords

You can use boolean operators - AND, OR, and NOT - to combine search keywords. Note that the boolean operators are case sensitive, and must be in all caps. More complex search expressions can also be constructed with parentheses.

Using wildcard searches

You can use the ? and * wildcards in your search expressions.

Searching for special characters

To search for the question mark (?), asterisk (*), backslash (\) or whitespace () characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as a character to be searched for.

NOTE: Delimiter characters are an exception to the rule. It is not possible to search for delimiter characters, even when they are prefixed.

Searching in a specific part of the message

You can search in a specific part of the message using the <type>: prefix. The message: (or msg:) prefix means the message part and can be omitted. For example, use the program: prefix to search for the name of an application, or use the host: prefix to search for a host name, and so on.

Searching the name-value pairs of the message

You can search the structured data part of log messages using the nvpair: prefix. Use the = delimiter to separate the name and the value of structured data parameters, and remove the quote marks from the values.

Search performance tips

Searching encrypted logspaces

Searching log messages > Searching encrypted logspaces

By default, you cannot browse encrypted logstores from the SSB web interface, because the required decryption keys are not available on SSB. To make browsing and searching encrypted logstores possible, SSB provides the following options:

Use persistent decryption key(s) for a single user.

For details, see Using persistent decryption keys.
Use decryption keys for the duration of the user session only.

For details, see Using session-only decryption keys.

One Identity recommends using 2048-bit RSA keys (or stronger).

Using persistent decryption keys

Searching log messages > Searching encrypted logspaces > Using persistent decryption keys

You can upload decryption keys and bind them to your account. The decryption keys are stored on syslog-ng Store Box(SSB), but they are only made available for this user account, and can also be protected (encrypted) with a passphrase.

To use persistent decryption keys

Select User menu > Private keystore. A pop-up window is displayed.
Select Permanent > , then select Certificate > . A pop-up window is displayed.

Figure 10: User menu > Private keystore — Adding decryption keys to the private keystore
Paste or upload the certificate used to encrypt the logstore.
Select Key > . A pop-up window is displayed.
Paste or upload the private key of the certificate used to encrypt the logstore.
Repeat Steps 2-5 to upload additional keys if needed.
Select Security passphrase > Change, and enter a passphrase to protect the private keys.

Figure 11: User menu > Private keystore — Securing the private keystore with a passphrase
Click Apply.

Verwandte Dokumente

The document was helpful.

Bewertung auswählen

I easily found the information I needed.

Bewertung auswählen

Bitte w&auml;hlen Sie Ihr Produkt aus:

Damit wir Ihnen besser helfen können, geben Sie den Grund Ihres Chats an:

Empfohlene Lösungen für Ihr Problem

syslog-ng Store Box 7.0.4 LTS - User Guide

Metadata collected about log messages