Chatee ahora con Soporte
Chat con el soporte

syslog-ng Store Box 7.4.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Configuring SSB as a standalone unit, or as the primary node of a HA cluster

This section describes how you can configure your unit as a standalone unit, or as the primary node of a HA cluster in the syslog-ng Store Box (SSB) Welcome Wizard.

For details on how you can configure your unit as the secondary node of a HA cluster, see Configuring your SSB unit as the secondary node of a HA cluster.

If you want to use your unit as a standalone unit, or as the primary node of a HA cluster, you can configure a new unit in the Welcome Wizard, import an existing configuration from a backup file to restore a backup configuration after a recovery, or to migrate an existing SSB configuration to a new device, or transfer logspaces and configuration from an existing SSB.

On the initial screen, you must accept the Software Transaction, License and End User License Agreements.

Read the Software Transaction, License and End User License Agreements and select I have read and agree with the terms and conditions. By clicking on I have read and agree with the terms and conditions you accept the agreement that corresponds to the license you purchased (for details on subscription-based licensing, see License types). After the installation is complete, the Software Transaction, License and End User License Agreements can be read at Basic Settings > System > License.

Figure 6: The Software Transaction Agreement

Then choose one of the following options:

Configuring a new SSB unit

To configure your SSB unit as a standalone unit, or as the primary node of a HA cluster

  1. On the initial Configuration screen, select Standalone or primary node configuration.

    Figure 7: Standalone or primary node configuration

    Select New Install.

    Figure 8: New install

  2. Click Next.

  3. Install the SSB license.

    Figure 9: The License Key

    1. Click Choose File, select the SSB license file received with SSB, then click Upload. Without a license file, SSB will run in demo mode.

      NOTE: It is not required to manually decompress the license file. Compressed licenses (for example .zip archives) can also be uploaded.

    2. Click Next.

  4. Fill the fields to configure networking. The meaning of each field is described below. The background of unfilled required fields is red. All parameters can later be modified using the regular interface of SSB.

    Figure 10: Initial networking configuration

    1. External interface — IP address: The IP address of the external interface of SSB (for example, 192.168.1.1). The IP address can be chosen from the range of the corresponding physical subnet. Clients will connect to the external interface, therefore the IP address you configure must be accessible to them.

      If you have changed the IP address of SSB from the console before starting the Welcome Wizard, make sure that you use the same address here.

      NOTE: Do not use IP addresses that fall into the following ranges:

      • IPv4 addresses

        • 1.2.0.0/16 (reserved for communication between SSB cluster nodes)

        • 127.0.0.0/8 (localhost IP addresses)

    2. External interface — Netmask: The IP netmask of the given range in IP format. For example, general class C networks have the 255.255.255.0 netmask.

    3. Default gateway: IP address of the default gateway. When using several network cards, the default gateway is usually in the direction of the external interface.

    4. Hostname: Name of the machine running SSB (for example, SSB).

    5. Domain name: Name of the domain used on the network.

    6. DNS server: IP address of the name server used for domain name resolution.

    7. NTP server: The IP address or the hostname of the NTP server.

    8. SMTP server: The IP address or the hostname of the SMTP server used to deliver emails.

    9. Administrator's e-mail: The email address of the SSB administrator.

    10. Timezone: The timezone where the SSB unit is located.

      Caution:

      Make sure that you have selected the correct timezone. It is not recommended to change the timezone later, because logspace rotation is based on your local timezone. If you change the timezone later, you will not be able to properly search in your previously stored logs.

    11. Click Next.

  5. Enter the passwords used to access SSB.

    Figure 11: Passwords

    NOTE: The syslog-ng Store Box (SSB) appliance accepts passwords that are not longer than 150 characters. The following special characters can be used:

    ! " # $ % & ' ( ) * + , - . / : ; < > = ? @ [ ] ^ - ` { | } \ _ ~
    1. Admin password: The password of the admin user who can access the web interface of SSB.

      The default password policy on newly installed SSB appliances does not accept simple passwords for the admin and root users. As you type, SSB shows the strength of the password under the password field. Enter a password that gets at least a "good" rating.

    2. Root password: The password of the root user, required to access SSB via SSH or from the local console.

      The default password policy on newly installed SSB appliances does not accept simple passwords for the admin and root users. As you type, SSB shows the strength of the password under the password field. Enter a password that gets at least a "good" rating.

      NOTE: Accessing SSB using SSH is rarely needed, and recommended only for advanced users for troubleshooting situations.

    3. GRUB password: The password required to access the SSB boot menu.

      NOTE: From version 7.2.0 it is required to enter a username and a password to change SSB boot settings or to enter the boot loader console for troubleshooting.

      Enter the following username when prompted by GRUB:

      root

      The default password for the root user is:

      default

      One Identity recommends changing the default GRUB password if you have updated SSB from a version prior to 7.2.0.

      For more information about changing the GRUB password, see Changing the GRUB password of SSB or Using the console menu of SSB.

    4. If you want to prevent users from accessing SSB remotely via SSH or changing the root password of SSB, select the Seal the box checkbox. Sealed mode can be activated later from the web interface as well. For details, see Sealed mode.

    5. Click Next.

  6. Upload or create a certificate for the SSB web interface. This SSL certificate will be displayed by SSB to authenticate administrative HTTPS connections to the web interface and RPC API.

    Figure 12: Creating a certificate for SSB

    To create a self-signed certificate, fill the fields of the Generate new self-signed certificate section and click Generate. The certificate will be self-signed by the SSB appliance, the hostname of SSB will be used as the issuer and common name.

    1. Country: Select the country where SSB is located (for example, HU-Hungary).

    2. Locality: The city where SSB is located (for example, Budapest).

    3. Organization: The company who owns SSB (for example, Example Inc.).

    4. Organization unit: The division of the company who owns SSB (for example, IT Security Department).

    5. State or Province: The state or province where SSB is located.

    6. Click Generate certificate.

    If you want to use a certificate that is signed by an external Certificate Authority, in the Server X.509 certificate field, click to upload the certificate.

    NOTE: If you want to create a certificate with Windows Certificate Authority (CA) that works with SSB, generate a CSR (certificate signing request) on a computer running OpenSSL (for example, using the openssl req -set_serial 0 -new -newkey rsa:2048 -keyout ssbwin2k121.key -out ssbwin2k121.csr -nodes command), sign it with Windows CA, then import this certificate into SSB.

    Figure 13: Uploading a certificate for SSB

    You can choose to upload a single certificate or a certificate chain (that is, intermediate certificates and the end-entity certificate).

    After uploading a certificate or certificate chain, you can review details by clicking the name of the certificate, and looking at the information displayed in the pop-up window that comes up.

    Figure 14: Log > Options > TLS settings — X.509 certificate details

    The pop-up window allows you to:

    • Download the certificate or certificate chain.

      NOTE: Certificate chains can only be downloaded in PEM format.

    • View and copy the certificate or certificate chain.

    • Check the names and the hierarchy of certificates (if it is a certificate chain and there is more than one certificate present).

      On hovering over a certificate name, the subject of the certificate is displayed, describing the entity certified.

    • Check the validity dates of the certificate or certificates making up the chain.

      On hovering over a particular date, the exact time of validity is also displayed.

    After uploading the certificate or certificate chain, the presence or absence of the string (chain) displayed after the name of the certificate will indicate whether the certificate is a certificate chain or a single certificate.

    Then, back on the Certificate page of the Welcome Wizard, click in the Server private key field, upload the private key, and enter the password protecting the private key.

    Figure 15: Uploading a private key

    NOTE: SSB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.

    One Identity recommends:

    • Using 2048-bit RSA keys (or stronger).

    • Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.

    NOTE: The syslog-ng Store Box (SSB) appliance accepts passwords that are not longer than 150 characters. The following special characters can be used:

    ! " # $ % & ' ( ) * + , - . / : ; < > = ? @ [ ] ^ - ` { | } \ _ ~
  7. Review the data entered in the previous steps. This page also displays the certificate generated in the last step, the RSA SSH key of SSB, and information about the license file.

    Figure 16: Review configuration data

    If all information is correct, click Finish.

    Caution:

    The configuration takes effect immediately after clicking Finish. Incorrect network configuration data can render SSB unaccessible.

    SSB is now accessible from the regular web interface via the IP address of its external interface.

    After you finish configuring your SSB unit (which you can use as a standalone SSB unit, or as the primary node of a HA cluster), your browser is automatically redirected to the IP address set as the external interface of SSB, where you can log in to the web interface of SSB using the admin username and the password you set for this user in the Welcome Wizard.

    Figure 17: Logging in to SSB

Importing an existing SSB configuration

To import an existing SSB configuration to be used as a standalone unit, or as the primary node of a HA cluster

  1. On the initial Configuration screen, select Standalone or primary node configuration.

    Figure 18: Standalone or primary node configuration

  2. Then select Import Configuration.

    Figure 19: Import configuration

  3. Click Choose File and select the configuration file to import.

    NOTE: It is not possible to directly import a GPG-encrypted configuration into SSB, it has to be decrypted locally first.

  4. Enter the password used when the configuration was exported into the Encryption password field.

    For details on restoring configuration from a configuration backup, see Restoring SSB configuration and data.

  5. Click Upload.

    Caution:

    If you use the Import function to copy a configuration from one SSB to another, do not forget to configure the IP addresses of the second SSB. Having two devices with identical IP addresses on the same network leads to errors.

  6. Review the data imported from the uploaded configuration.

    Figure 20: Review configuration data

    If all information is correct, click Finish.

    Caution:

    The configuration takes effect immediately after clicking Finish.

    Incorrect network configuration data can render SSB unaccessible.

Transfer logspaces and configuration from an existing SSB

By using this option you can transfer logs and configuration from a running SSB to a new one in a single step. This saves you from the effort of backing up, archiving and importing logspace data after install, when migrating data from an older SSB model to a newer one.

Prerequisites

  • Your source SSB and the new one must be in the same network, and they must be able to communicate with each other.

  • The source SSB can be connected to with SSH.

  • Your new SSB unit requires at least the amount of disk space that the logspace data takes up on your source SSB’s internal storage.

Limitations

To transfer logspaces, user preferences and configuration from an existing SSB

  1. On the initial Configuration screen, select Standalone or primary node configuration.

    Figure 21: Standalone or primary node configuration

  2. Select Transfer from another node and fill the fields necessary for the transfer.

    Figure 22: Transfer from another node

    1. Source address: The address of the source SSB where you would like to transfer data from.

    2. Source host key: Click to provide the RSA public key of the source SSB.

      Figure 23: Set source SSB public RSA key

      You can query the source SSB directly for its RSA public key, or manually provide the public key either by uploading it or copy-pasting it into the Copy-paste key field.

    3. RSA public key: The RSA public key of your new SSB installation. This key is only used for the data transfer process.

      Please note that this RSA key is newly generated every time you reload the initial Welcome Wizard page before you start the transfer process.

      Copy this key to your clipboard and add it to the list of Authorized keys on your source SSB under the Basic Settings > Management > SSH settings menu.

      Figure 24: Set source SSB public RSA key

      Click and paste the key into the Copy-paste key field, then click Set and Commit your changes.

      Figure 25: Add RSA public key

    4. Click Next.

  3. Review the configuration details which will be transferred from your source SSB.

    Figure 26: Transfer confirmation

    By pressing Finish, the data transfer process will start. At the end of the data transfer process the source SSB will be shut down and this SSB will take its place with the same configuration as the original source SSB.

    NOTE: The transfer process may take a longer time depending on the amount of data and your network speed. In an ideal case, where the source SSB is not accepting logs during the data transfer, and this SSB storage’s write speed does not limit the transfer, over a 1 Gigabit network, approximately 120 MiB can be transferred per second. This means that transferring 1 TiB of data takes at least 2.5 hours.

    Caution:

    You should only use the source SSB for receiving, relaying of and searching for logs during the data transfer. If you change configuration on the source SSB during data transfer you may end up with inconsistent configuration and data loss on your new SSB.

  4. The data transfer takes place in the following eight steps:

    NOTE: You can close this window or navigate away from your source SSB page during the transfer process, it will not be interrupted. However, there is a step which requires user interaction, therefore it is strongly advised to regularly check the transfer status.

    1. Transferring configuration and user preferences: A configuration bundle is automatically created on your source SSB and transferred to the new one.

    2. Synchronizing most of the logs: All already existing logspace data (excluding logspaces residing on external data disks, see Managing custom cloud service provider data disks for your logspaces in SSB) is transferred to your new SSB in this step.

      NOTE: This step may take a longer time to finish depending on the amount of data to be transferred and your network speed.

    3. Synchronizing logs received during the previous step: If your source SSB is receiving logs during the data transfer, then the logs which were received during the previous (and most likely longest) step are transferred in this step.

      NOTE: If your source SSB has received large amount of logs in the last 24 hours then then calculating the delta to transfer in this step may take a long time.

    4. Waiting for confirmation: By pressing Confirm in this step, the rest of the automatic process of the data transfer will take place.

      Figure 27: Waiting for confirmation during transfer

      Caution:

      If you press Confirm, the data transfer process cannot be interrupted anymore, it will be automatically completed.

    5. Stopping syslog-ng on source: Syslog-ng is stopped on your source SSB, logs are not received or relayed by your source SSB from this step.

    6. Synchronizing the remaining logs from the source SSB: Transferring the logs received by your source SSB during the confirmation step and before syslog-ng was shut down.

      NOTE: If your source SSB has received large amount of logs in the last 24 hours then then calculating the delta to transfer in this step may take a long time.

    7. Shutting down source cluster: Your source SSB is shut down in this step. If your source SSB was operating in an HA cluster, then complete cluster will be shut down in the following order: first the secondary node (or Other node) then the primary node (or This node) will be shut down.

    8. Applying configuration: The previously transferred configuration is applied on your new SSB and you will be redirected to the SSB’s login screen, which has the same IP address as your previous (source) SSB.

      Figure 28: Logging in to SSB

  5. (Optional) If your source SSB was operating in HA and you would like to use your new SSB in an HA cluster as well, then please see Configuring your SSB unit as the secondary node of a HA cluster for configuring a second node.

Preparing the nodes on the SSB web interface for establishing a HA cluster

If you want to use the newly configured SSB unit as the primary node in a future HA cluster, and you want to add an additional SSB unit as the secondary node in your future HA cluster, you have to configure the IP addresses that you want to use for your primary node (referred to as This node on the web interface, and occasionally as master node in error messages and warnings), and the secondary node (referred to as Other node on the web interface, and occasionally as slave node in error messages and warnings).

To prepare the nodes on your SSB web interface for establishing a HA cluster

  1. Log in to the SSB unit configured as the primary node for your future HA cluster.

  2. Navigate to Basic Settings > High Availability.

    The newly configured standalone unit is displayed under High availability, labeled as This node. The greyed out Other node is not yet configured, but in the Interface IP field, you can already set the IP address that you want to use on your secondary node later.

    NOTE: Note that your Cluster status displays your primary SSB unit in a STANDALONE HA state.

  3. In the Interface IP field on This node, set the IP address that you want to use for your primary node in your future HA cluster.

  4. In the Interface IP field on Other node, set the IP address that you want to use for the secondary node in your future HA cluster.

    NOTE: Make sure that the IP address you configure on This node is different from the IP address you configure on Other node.

  5. Commit your changes.

    NOTE: When your configuration changes are successfully saved, you will see a warning about the limitations of configuring your secondary node at this point. Click OK.

  6. (Optional) Reboot your SSB unit. Alternatively, you can reboot your SSB unit later, after configuring a different unit as the secondary node of your future HA cluster.

  7. Configure a different SSB unit as the secondary node of your future HA cluster.

  8. Convert your nodes into a HA cluster on the SSB web interface.

Configuring your SSB unit as the secondary node of a HA cluster

This section describes how you can configure your syslog-ng Store Box (SSB) unit as the secondary node of a HA cluster in the syslog-ng Store Box (SSB) Welcome Wizard.

Prerequisites

Before configuring your SSB unit as the secondary node of your future HA cluster, you must have a standalone SSB unit configured as the primary node of your HA cluster, and prepare the nodes on your SSB web interface to establish a HA cluster from your SSB units.

For details on how you can configure your SSB unit as a standalone unit, or as the primary node of a HA cluster, see Configuring SSB as a standalone unit, or as the primary node of a HA cluster.

For details on how you can prepare the nodes on your SSB web interface to establish a HA cluster from your SSB units, see Preparing the nodes on the SSB web interface for establishing a HA cluster.

HA IP configuration

If you want to use your SSB unit as the secondary node of a HA cluster, you can use the syslog-ng Store Box Welcome Wizard, but with fewer configuration steps than when you are configuring your primary node.

To configure your SSB unit as the secondary node of a HA cluster

  1. Open the https://<IP-address-of-SSB-external-interface> page in your browser and accept the displayed certificate. The Welcome Wizard of SSB appears.

    TIP: The SSB console displays the IP address the external interface is listening on. SSB either receives an IP address automatically via DHCP, or if a DHCP server is not available, listens on the 192.168.1.1 IP address.

  2. On the initial screen, you must accept the Software Transaction, License and End User License Agreements.

    Read the Software Transaction, License and End User License Agreements and select I have read and agree with the terms and conditions. By clicking on I have read and agree with the terms and conditions you accept the agreement that corresponds to the license you purchased (for details on subscription-based licensing, see License types). After the installation is complete, the Software Transaction, License and End User License Agreements can be read at Basic Settings > System > License.

    Figure 29: The Software Transaction Agreement

  3. Select HA IP configuration.

    Figure 30: Select HA IP configuration

  4. Enter the HA IP Address that you previously set in the Interface IP field on Other node.

    Figure 31: Enter the HA IP address for the secondary node

  5. Click Next.

    The Welcome Wizard displays the confirmation that you have successfully configured your secondary node.

    Figure 32: HA IP configuration successful

  6. (Optional) To modify your configured HA IP Address, click Back.

  7. If you do not want to change anything in your configuration, you can continue to convert your nodes into a HA cluster.
Converting your primary node and secondary node to a HA cluster on the SSB web interface
  1. (Optional) If you have not done it previously, reboot the SSB unit that you previously configured as the primary node for your HA cluster.

  2. Log in to the SSB unit configured as the primary node, and navigate to Basic Settings > High Availability.

    Under High availability, both configured nodes are displayed, both in STANDALONE HA state.

  3. Click Convert to Cluster.

    Your Cluster status will display that you are in CONVERTED HA state.

  4. Continue by either shutting down, and then powering up your HA cluster, or shutting down, and then powering up your nodes one by one:

    • Rebooting the HA cluster: If you do not want to closely monitor shutting down, and then rebooting your nodes separately, click Reboot cluster.

      You will have to log in to the SSB web interface again.

    • Shutting down, then powering up your nodes separately:

      1. Click Shutdown on your secondary node (Other node).

        While the node of your choice is shutting down, your our Cluster status will display that you are in DEGRADED HA state.

      2. Click Reboot on the primary node (This node).

        You will have to log in to the SSB web interface again.

      3. Power up your secondary node (Other node).
  5. Log in to the SSB unit configured as your primary node, and navigate to Basic Settings > High Availability.

    While SSB is synchronizing the newly rebooted nodes, your Cluster status will display that you are in DEGRADED SYNC HA state. Depending on your configuration, synchronization may take a while.

    When SSB successfully finishes synchronizing your nodes, your Cluster status displays that SSB is operating in HA.

  6. (Optional) After your HA cluster is in HA state, you can change the configuration settings on your nodes if you want to.

Basic settings

syslog-ng Store Box (SSB) is configured via the web interface. Configuration changes take effect automatically after clicking . Only the modifications of the current page or tab are activated each page and tab must be committed separately.

Supported web browsers

The syslog-ng Store Box (SSB) web interface can be accessed only using TLS encryption and strong cipher algorithms. The browser must support HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.

NOTE: SSB displays a warning message if your browser is not supported or JavaScript is disabled.

If you have successfully accessed the SSB web interface using HTTPS at least once, your browser will remember this, and on any subsequent occasions, it will force you to access SSB using HTTPS, even if you try loading it through an HTTP connection. This is thanks to the HTTP Strict Transport Security (HSTS) policy, which enables web servers to enforce web browsers to restrict communication with the server over an encrypted SSL/TLS connection for a set period. Web servers declare the HSTS policy using a special Strict-Transport-Security response header field.

This might, however, cause issues in any of the following cases:

  • When the SSL certificate of SSB's web interface has expired. In this case, any attempt to access the web interface using a secure connection will fail with an error message.

  • When you switch the trusted CA-signed certificate to a self-signed certificate for SSB's web interface. As per HSTS design, a self-signed certificate is not taken to have been issued by a trusted CA, therefore any secure connections to the SSB web interface will fail with an error message.

The resolution to the above-mentioned issues is to:

  • Remove the HSTS settings in your browser. This must be done locally, in a browser-specific way. For detailed instructions, consult the support site of the browser you are using.

    OR

  • Upload a new certificate, using a different browser on a different machine. For detailed instructions on how to upload external certificates to SSB, see Uploading external certificates to SSB in the Administration Guide.

Supported browsers:

Mozilla Firefox 52 ESR

We also test SSB on the following, unsupported browsers. The features of SSB are available and usable on these browsers as well, but the look and feel might be different from the supported browsers. Internet Explorer 11, Microsoft Edge, and the currently available version of Mozilla Firefox and Google Chrome.

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación