Chatee ahora con Soporte
Chat con el soporte

syslog-ng Store Box 7.0.4 LTS - User Guide

Metadata collected about log messages

The following information is available about the log messages:

  • Processed Timestamp: The date when syslog-ng Store Box(SSB) received the log message in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.

  • Timestamp: The time stamp received in the message — the time when the log message was created in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.

  • Facility: The facility that sent the message.

  • Priority: The priority value of the message.

  • Program: The application that created the message.

  • Pid: The program identifier of the application that created the message.

  • Host: The IP address or hostname of the client that sent the message to SSB.

  • Message: The text of the log message.

  • Tag: Tags assigned to the message matching certain pattern database rules.

  • Id: Unique ID of the message.

  • classifier.rule_id: ID of the pattern database rule that matched the message.

  • classifier.class: Description of the pattern database rule that matched the message.

  • Dynamic columns, created from additional name-value pairs, might also be available.

Using complex search queries

You can use wildcards and boolean expressions, and search specific parts of the log messages collected on syslog-ng Store Box(SSB).

NOTE: When searching log messages, the capabilities of the search engine depend on the delimiters used to index the particular logspace. By default, the indexer uses the following delimiter characters to separate the message into words (tokens): & : ~ ? ! [ ] = , ; ( ) ' ". For details on how to configure the delimiters used for indexing, see Creating logstores in the Administration Guide.

The following sections provide examples for different search queries:

Searching for exact matches and using complex queries

By default, SSB searches for keywords as whole words in the MESSAGE part of the log message and returns only exact matches.

Combining search keywords

You can use boolean operators - AND, OR, and NOT - to combine search keywords. Note that the boolean operators are case sensitive, and must be in all caps. More complex search expressions can also be constructed with parentheses.

Using wildcard searches

You can use the ? and * wildcards in your search expressions.

Searching for special characters

To search for the question mark (?), asterisk (*), backslash (\) or whitespace () characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as a character to be searched for.

NOTE: Delimiter characters are an exception to the rule. It is not possible to search for delimiter characters, even when they are prefixed.

Searching in a specific part of the message

You can search in a specific part of the message using the <type>: prefix. The message: (or msg:) prefix means the message part and can be omitted. For example, use the program: prefix to search for the name of an application, or use the host: prefix to search for a host name, and so on.

Searching the name-value pairs of the message

You can search the structured data part of log messages using the nvpair: prefix. Use the = delimiter to separate the name and the value of structured data parameters, and remove the quote marks from the values.

Search performance tips

Searching encrypted logspaces

By default, you cannot browse encrypted logstores from the SSB web interface, because the required decryption keys are not available on SSB. To make browsing and searching encrypted logstores possible, SSB provides the following options:

One Identity recommends using 2048-bit RSA keys (or stronger).

Using persistent decryption keys

You can upload decryption keys and bind them to your account. The decryption keys are stored on syslog-ng Store Box(SSB), but they are only made available for this user account, and can also be protected (encrypted) with a passphrase.

To use persistent decryption keys

  1. Select User menu > Private keystore. A pop-up window is displayed.

  2. Select Permanent > , then select Certificate > . A pop-up window is displayed.

    Figure 10: User menu > Private keystore — Adding decryption keys to the private keystore

  3. Paste or upload the certificate used to encrypt the logstore.

  4. Select Key > . A pop-up window is displayed.

  5. Paste or upload the private key of the certificate used to encrypt the logstore.

  6. Repeat Steps 2-5 to upload additional keys if needed.

  7. Select Security passphrase > Change, and enter a passphrase to protect the private keys.

    Figure 11: User menu > Private keystore — Securing the private keystore with a passphrase

  8. Click Apply.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación