Chatee ahora con Soporte
Chat con el soporte

syslog-ng Store Box 6.9.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Creating reports from custom statistics

You can save log statistics to include them in reports as a subchapter.

Figure 202: Search > Logspaces — Creating reports from custom log statistics

  1. In the Statistics view, click Report settings.

  2. Add a name for the statistics in the Report subchapter name field.

  3. Select the Visualization for the report: List, Pie chart, or Bar chart.

  4. Choose how the entries are sorted: descending (Top) or ascending (Least).

  5. Choose the Number of entries to include.

    NOTE: Selecting All includes only the first 1000 results. The remaining results are aggregated as 'others'.

    NOTE: For performance reasons, when creating statistics for a Multiple Logspace (see "Creating multiple logspaces" in the Administration Guide), syslog-ng Store Box(SSB) does not create statistics if the data upon which the statistics is based (for example, the hostname) has over 1000 entries in any of the member logspaces. In this case, SSB displays the Number of member statistics has too many entries error message.

  6. Select the user group that can access the subchapter in the Grant access for the following user groups field.

  7. Click Save as Report subchapter.

  8. To add the saved subchapter to a report, follow the instructions provided in Configuring custom reports.

Creating content-based alerts

The syslog-ng Store Box(SSB) appliance can create content-based alerts about log messages based on specific search expressions. Search queries are run every few seconds and an alert is triggered whenever a match between the contents of a log message and a search expression is found. Alerts are collected and sent to a pre-defined email address (or email addresses).

Some log messages might have particular significance and therefore getting notifications about those can often be more efficient than searching for them manually.

You can set up or modify alerts for local logspaces or those logspaces to which you have the relevant privileges, meaning that:

  • Either the relevant user group has been assigned read and write/perform access to the Search > Logs object on the AAA > Access Control page.

  • Or the user group has been added under the Access control option of the relevant logspace on the Log > Logspaces page.

There are two ways to create alerts, using the search interface or the Search > Content-Based Alerts page:

NOTE: Content-based alerting is currently not available for filtered, multiple, and remote logspaces.

NOTE: In the case of encrypted logspaces, no decryption key is required for content-based alerting to work. SSB has access to the log messages while processing them, and the indexer and content-based alerting services run before encryption happens.

Setting up alerts on the search interface

This section describes how to set up alerts using the search interface.

To set up alerts using the search interface

  1. Configure a target where you wish to send your content-based alerts.

    Alert targets are set up and modified by superusers or user groups that have been assigned read and write/perform access to the Policies object on the AAA > Access Control page.

    To specify an alert target:

    1. Go to Policies > Alert targets.

    2. Click .

      The new tab that opens allows you to record an alert target.

      Figure 203: Policies > Alert targets — Alert targets page

    3. Enter a name for your alert target.

      NOTE: Alert target names must be unique.

    4. In the Target email address field, enter the email address where you wish to send alerts.

      NOTE: You can specify only one email address per target. However, you can add multiple targets per alert, which allows you to send a specific alert to more than one email addresses (if required).

    5. In the Cooldown period field, enter the minimum amount of time (in seconds) that should pass between the sending of two alert messages to this target.

      The minimum value is 60 seconds, and the maximum value is 999999 seconds.

      NOTE: An alert message is sent only when a match is found between the contents of log messages and a search expression. This means that if no match is found, more time may pass between two alert messages than the interval specified as the cooldown period.

    6. Click to save your details.

      Expected result:

      You have successfully configured a target for your alert where alert messages will be sent.

  2. Optional step: You can also specify the email address from which the alerts are sent to your targets. Configuring an email address from where you wish to receive emails can be useful for filtering purposes. If you do not specify such an email address, a default one will be used.

    For detailed instructions, see the steps describing how to specify a Send e-mails as email address in "Configuring e-mail alerts" in the Administration Guide.

  3. Once you have set up a target or targets, navigate to the search interface by going to Search > Logspaces.

    Figure 204: Search > Logspaces — Setting up alerts on the search interface

  4. In the Logspace name menu, select the relevant logspace.

  5. In the Search expression field, enter the search expression that you wish to receive alerts about and click .

  6. To configure additional details for the alert, click . The Content-based alerting panel is displayed.

    Figure 205: Search > Logspaces — Content-based alerting panel

    The Logspace field displays the name of the logspace that you have selected from the Logspace name menu. The Search expression field displays the search expression that you entered in the Search expression field.

  7. Enter a name for your alert in the Alert name field.

    NOTE: Alert names must be globally unique. Using a prefix before alert names can help avoid specifying a name that is already in use.

  8. Select a target from Targets. You can select multiple targets if you wish to distribute the alert to multiple email addresses.

    You can remove targets you have already added by clicking in front of the target's name.

  9. To save your details, click .

    NOTE: If you wish to modify your alert later on, you can make changes via Search > Content-Based Alerts. For details, see Setting up alerts on the Search > Content-Based Alerts page.

Setting up alerts on the Search > Content-Based Alerts page

This section describes how to set up alerts on the Search > Content-Based Alerts page.

To set up alerts on the Search > Content-Based Alerts page

  1. Configure a target where you wish to send content-based alerts. For details on how to do this, see Step 1 in Setting up alerts on the search interface.

  2. Optional step: You can also specify the email address from which alerts are sent. Configuring an email address from where you wish to receive emails can be useful for filtering purposes. If you do not specify such an email address, a default one will be used.

    For detailed instructions, see the steps describing how to specify a Send e-mails as email address in "Configuring e-mail alerts" in the Administration Guide.

  3. Once you have set up a target or targets, navigate to Search > Content-Based Alerts.

  4. Click .

    The new tab that opens allows you to specify a content-based alert.

    Figure 206: Search > Content-Based Alerts — Setting up content-based alerts on the Search

  5. Enter a name for your alert.

    NOTE: Alert names must be globally unique. Using a prefix before alert names can help avoid specifying a name that is already in use.

  6. In the Search expression field, enter the search expression that you wish to receive alerts about.

  7. Select the appropriate logspace from the Logspace menu.

  8. Select a target or targets from the Alert targets menu. You can select multiple targets if you wish to distribute the alert to multiple email addresses.

    You can remove targets you have already added by clicking .

  9. To save your details, click .

    NOTE: If you wish to modify your alert later on, you can make changes by revisiting the relevant steps on the Search > Content-Based Alerts page.

Documentos relacionados

The document was helpful.

Seleccionar calificación

I easily found the information I needed.

Seleccionar calificación