Chatee ahora con Soporte
Chat con el soporte

syslog-ng Store Box 7.0 LTS - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Removing a custom cloud service provider data disk from your SSB configuration

This section describes the required procedure if you want to remove a previously added custom cloud service provider data disk (for example, a Microsoft Azure managed disk) from your syslog-ng Store Box (SSB) configuration.

For more information about adding a custom cloud service provider data disk to your SSB configuration, see Adding a new custom cloud service provider data disk to your SSB configuration.

Prerequisites

When removing a custom cloud service provider data disk from your SSB configuration, consider the following prerequisites in advance:

  • One Identity recommends that you archive or backup all data from the logspaces that you want to delete from your custom cloud service provider data disk.

  • If there are any referenced objects (for example, logspaces, filtered logspaces, multiple logspaces, remote logspaces, and logpaths) connected to your custom cloud service provider data disk, you must disconnect them from your custom cloud service provider data disk before removing it from your SSB configuration.

Limitations

When removing a custom cloud service provider data disk from your SSB configuration, consider the following limitations in advance:

  • NOTE: After adding a newly created custom cloud service provider data disk to your SSB configuration, and attaching it to a logspace, removing the custom data disk from your SSB configuration has a strict order, especially if there are referenced objects connected to the custom cloud service provider data disk. One Identity recommends that you always complete the following steps in this particular order when removing a custom cloud service provider data disk from your SSB configuration.

  • You can not remove a custom cloud service provider data disk from your SSB configuration if there are any referenced objects connected to it. In these cases, you must disconnect them from your custom cloud service provider data disk before removing it from your SSB configuration.

Removing a custom cloud service provider data disk from your SSB configuration in the Microsoft Azure Portal

If you have carefully considered the prerequisites and limitations, complete the following steps in this exact same order.

To remove a custom cloud service provider data disk from your SSB configuration,

  1. On the SSB side, archive or backup your logspace data, remove the logspaces from your configuration, then shut down your SSB device.

    1. Navigate to Log > Logspaces.

    2. (Optional) Archive or backup all data from the logspaces that you want to delete from your custom cloud service provider data disk.

    3. Delete all logspaces on your custom cloud service provider data disk and click .

    4. Navigate to Log > Disks, delete the custom cloud service provider data disk of your choice, and click .

    5. Navigate to Basic Settings > System.

    6. Under System control, click Shutdown.

  2. On the Microsoft Azure side, stop, deallocate, and detach your custom cloud service provider data disk, then restart the virtual machine for your SSB device.

    1. Log in to your cloud service provider's portal (in this case, the Microsoft Azure portal).

    2. Wait until the power state of your SSB device's virtual machine is Stopped.

      For more information about power states in Microsoft Azure, see VM power states in the Microsoft Azure online tutorial documentation.

    3. Deallocate the virtual machine for your SSB device, then wait until its power state is Stopped (deallocated).

    4. Follow the instructions of the Microsoft Azure online tutorial documentation to detach your custom data disk from the virtual machine for your SSB device.

    5. Restart the virtual machine for your SSB device.

Removing a custom cloud service provider data disk from your SSB configuration in VMware ESXi

If you have carefully considered the prerequisites and limitations, complete the following steps in this exact same order.

To remove a custom cloud service provider data disk from your SSB configuration,

  1. On the SSB side, archive or backup your logspace data, remove the logspaces from your configuration, then shut down your SSB device.

    1. Navigate to Log > Logspaces.

    2. (Optional) Archive or backup all data from the logspaces that you want to delete from your custom cloud service provider data disk.

    3. Delete all logspaces on your custom cloud service provider data disk and click .

    4. Navigate to Log > Disks, delete the custom cloud service provider data disk of your choice, and click .

    5. Navigate to Basic Settings > System.

    6. Under System control, click Shutdown.

  2. On the VMware vSphere Client side, remove your custom cloud service provider data disk, then restart the virtual machine for your SSB device.

    1. Wait until the power state of your SSB device's virtual machine is Stopped.

    2. Edit your virtual machine's hardware settings.

    3. Locate your custom cloud service provider data disk and delete it.

      Figure 168: <your-virtual-machine-in-vmware-esxi> > VM Hardware > Edit settings…

    4. Restart the virtual machine for your SSB device.

Increasing the size of a custom cloud service provider data disk that you use in your SSB configuration

This section describes how you can increase the size of a custom cloud service provider data disk that you use in your syslog-ng Store Box (SSB) configuration.

Prerequisites

When increasing the size of a custom cloud service provider data disk that you use in your SSB configuration, consider the following prerequisites in advance:

Limitations

When increasing the size of a custom cloud service provider data disk that you use in your SSB configuration, consider the following limitations in advance:

  • Caution:

    HAZARD OF DATA LOSS!

    Although it is possible to decrease the size of Microsoft Azure and VMware ESXi managed disks, One Identity does not support decreasing the size of custom cloud service provider data disks already added to your SSB configuration. One Identity only supports increasing the size of such custom cloud service provider data disks after adding them to your SSB configuration.

If the custom cloud service provider data disk that you recently added to your SSB configuration does not have enough disk space, you can increase its size on the cloud service provider side.

To increase the size of a custom cloud service provider data disk in Microsoft Azure that you use in your SSB configuration,

  1. On the SSB side, shut down your SSB device
    1. Navigate to Basic Settings > System.

    2. Under System control, click Shutdown.

  2. On the cloud service provider side, complete the following steps:
    1. Log in to your cloud service provider's portal (in this case, the Microsoft Azure portal).

    2. Wait until the virtual machine of your SSB device is in the Stopped power state.

      For more information about the power states of virtual machines in Microsoft Azure, see VM power states in the Microsoft Azure online tutorial documentation.

    3. Deallocate the virtual machine for your SSB device, then wait until it is in the Stopped (deallocated) power state.

    4. Follow the instructions of Resize a managed disk in the Azure portal in the Microsoft Azure online tutorial documentation to increase the size of your custom cloud service provider data disk.

      Figure 169: Home > All resources > <your-virtual-machine-in-microsoft-azure> > <your-data-disk-in-microsoft-azure> - The Size + performance page for your managed disk in Microsoft Azure

    5. Start the virtual machine for your SSB device.

      NOTE: Resizing your custom cloud service provider data disk on the Microsoft Azure or VMware ESXi side may be quick, depending on your infrastructure, but your SSB configuration must resize the file system on your SSB side to match the resizing on the Microsoft Azure or VMware ESXi side. As a result, depending on the original size of the custom cloud service provider data disk and on the size you will expand it to, starting the virtual machine for your SSB device after you expand the size of your custom cloud service provider data disk may take a long time.

To increase the size of a custom cloud service provider data disk in VMware ESXi that you use in your SSB configuration,

  1. On the SSB side, shut down your SSB device
    1. Navigate to Basic Settings > System.

    2. Under System control, click Shutdown.

  2. On the cloud service provider side, complete the following steps:
    1. Wait until the virtual machine of your SSB device is Stopped .

    2. Edit your virtual machine's hardware settings.

    3. CAUTION: HAZARD OF DATA LOSS!

      One Identity does not support decreasing the size of custom cloud service provider data disks already added to your SSB configuration. One Identity only supports increasing the size of such custom cloud service provider data disks after adding them to your SSB configuration.

      Locate the hard disk whose size you want to increase and enter the new value of the size of the hard disk.

      Figure 170: <your-virtual-machine-in-vmware-esxi> > VM Hardware > Edit settings… Increasing disk size in VMware ESXi

    4. Start the virtual machine for your SSB device.

      NOTE: Resizing your custom cloud service provider data disk on the Microsoft Azure or VMware ESXi side may be quick, depending on your infrastructure, but your SSB configuration must resize the file system on your SSB side to match the resizing on the Microsoft Azure or VMware ESXi side. As a result, depending on the original size of the custom cloud service provider data disk and on the size you will expand it to, starting the virtual machine for your SSB device after you expand the size of your custom cloud service provider data disk may take a long time.

Forwarding messages from SSB

The syslog-ng Store Box (SSB) appliance can forward log messages to remote destinations. The remote destination can be an SQL database running on a remote server, a syslog or log analyzing application running on a remote server, or a Hadoop Distributed File System (HDFS) destination.

Forwarding log messages to SQL databases

This section describes how to forward log messages from syslog-ng Store Box (SSB) to a remote SQL database server.

Tested SQL destinations:

SSB7.0 LTS was tested with the following database servers:

  • MS SQL (with "select @@version")

    Microsoft SQL Server 2005 - 9.00.5057.00 (Intel X86)   Mar 25 2011 13:50:04   Copyright (c) 1988-2005 Microsoft Corporation  Standard Edition on Windows NT 5.2 (Build 3790: Service Pack 2)
  • PostgreSQL (with "select version()")

    PostgreSQL 8.3.15 on i486-pc-linux-gnu, compiled by GCC cc (GCC) 4.2.4 (Ubuntu 4.2.4-1ubuntu4)
  • MySQL (with "select version()")

    5.0.51a-3ubuntu5.8-log
  • Oracle (with "SELECT * FROM V$VERSION;")

    Oracle Database 11g Enterprise Edition Release 11.2.0.4.0 - 64bit Production
    PL/SQL Release 11.2.0.4.0 - Production
    "CORE	11.2.0.4.0	Production"
    TNS for Linux: Version 11.2.0.4.0 - Production
    NLSRTL Version 11.2.0.4.0 - Production
    Oracle Database 12c Enterprise Edition Release 12.1.0.2.0 - 64bit Production
    PL/SQL Release 12.1.0.2.0 - Production
    "CORE	12.1.0.2.0	Production"
    TNS for Linux: Version 12.1.0.2.0 - Production
    NLSRTL Version 12.1.0.2.0 - Production

To forward log messages from SSB to a remote SQL database server

  1. To create a new remote destination, navigate to Log > Destinations and select .

  2. Enter a name for the destination.

    NOTE: This name will be used in the name of the database tables created by SSB. For compatibility reasons, it can contain only numbers, lowercase characters, and the underscore (_) character, for example example_database_destination.

  3. Select Database Server.

    Figure 171: Log > Destinations — Creating database destinations

  4. Select the type of the remote database from the Database type field.

  5. Enter the IP address or hostname of the database server into the Address field. If the database is running on a non-standard port, adjust the Port setting.

  6. Enter the name and password of the database user account used to access the database into the Username and Password fields, respectively. This user needs to have the appropriate privileges for creating new tables.

    NOTE: The syslog-ng Store Box (SSB) appliance accepts passwords that are not longer than 150 characters. The following special characters can be used:

    ! " # $ % &amp; ' ( ) * + , - . / : ; &lt; &gt; = ? @ [ ] ^ - ` { | }
  7. Enter the name of the database that will store the log messages into the Database name field.

  8. Optional step: Enter the number of log message lines into the Flush lines field that SSB should wait before sending them off in a single batch. Setting this number high increases throughput as fully filled frames are sent to the network. However, it also increases message latency.

    NOTE: Flush lines is in connection with the Output memory buffer value. (To set the Output memory buffer value, navigate to Log > Destinations). The value of Output memory buffer has to be greater than or equal to the value of Flush lines.

  9. SSB will automatically start a new table for every day or every month. Optionally, you can also create custom tables. Select the table naming template from the Table rotation field.

  10. Select which columns should SSB insert into the database. You can use one of the predefined templates, or select Custom columns to create a custom template. The available templates are described in SQL templates in SSB.

  11. SSB can automatically delete older messages and tables from the database. By default, messages are deleted after one month. Adjust the Retention time as needed for your environment.

  12. The logs stored in the database can be accessed using the search interface of SSB. Enter the name of the usergroup who can access the logs into the Access control > Group field. To add more groups (if needed), click .

  13. The time stamps of most log messages is accurate only to the second. The syslog-ng Store Box(SSB) appliance can include more accurate time stamps: set how many digits should be included in the Timestamp fractions of a second field. This option corresponds to the frac_digits() parameter of syslog-ng.

  14. If the server and SSB are located in a different timezone and you use the Legacy message template (which does not include timezone information), select the timezone of the server from the Timezone field.

  15. Set the size of the disk buffer (in Megabytes) in the Output disk buffer field. If the remote server becomes unavailable, SSB will buffer messages to the hard disk, and continue sending the messages when the remote server becomes available. This option corresponds to the log_disk_fifo_size() parameter of syslog-ng.

    Note that SSB does not pre-allocate the hard disk required for the disk buffer, so make sure that the required disk space is available on SSB. For details on creating archiving policies and adjusting the disk-fillup prevention, see Archiving and cleanup and Preventing disk space fill up.

    Example: Calculating disk buffer size

    The size of the disk buffer you need depends on the rate of the incoming messages, the size of the messages, and the length of the network outage that you want to cover. For example:

    • SSB is receiving 15000 messages per second

    • On the average, one message is 250 bytes long

    • You estimate that the longest time the destination will be unavailable is 4 hours

    In this case, you need a disk buffer for 250 [bytes] * 15000 [messages per second] * 4*60*60 [seconds] = 54000000000 [bytes], which is 54000 Megabytes (in other words, a bit over 50 GB).

  16. Click .

  17. To start sending messages to the destination, include the new destination in a logpath. For details, see Log paths: routing and processing messages.

  18. To test if the database is accessible, select Test connection.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación