Tchater maintenant avec le support
Tchattez avec un ingénieur du support

syslog-ng Store Box 7.0 LTS - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Searching log messages

This section describes how to browse the log messages collected on syslog-ng Store Box(SSB).

Using the search interface

The syslog-ng Store Box(SSB) appliance has a search interface for browsing the collected log messages. You can choose the logspace, enter a search expression, specify the timeframe, and browse the results here.

This section walks you through the main parts of the search interface.

To access the search interface, navigate to Search > Logspaces.

Figure 205: Search > Logspaces — The log message search interface

Logspaces:

To choose the appropriate logspace, use the Logspace name menu. Note that you cannot access plain text logspaces on the SSB search interface.

For more information on the available logspaces, and how to configure them, see "Storing messages on SSB" in the Administration Guide.

Search:

On the log message search interface, you can use the Search expression field to search the full list of log messages. Search expressions are case insensitive, with the exception of operators (like AND, OR, etc.), which must always be capitalized. Click the icon, or see Using complex search queries for more details.

When searching log messages, the capabilities of the search engine depend on the delimiters used to index the particular logspace. For details on how to configure the delimiters used for indexing, see "Creating logstores" in the Administration Guide.

NOTE: You can search in indexed logspaces even if log traffic is disabled.

You can create complex searches using wildcards and boolean expressions. For more information and practical examples, see Using complex search queries.

NOTE: SSB only indexes the first 59 characters of every name-value pair (parameter). This has two consequences:

  • If the parameter is longer than 59 characters, an exact search might deliver multiple, imprecise results.

    Consider the following example. If the parameter is:

    .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

    SSB indexes it only as:

    .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-

    This corresponds to the first 59 characters. As a result, searching for:

    nvpair:.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

    returns all log messages that contain:

    .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-
  • Using wildcards might lead to the omission of certain messages from the search results.

    Using the same example as above, searching for the value:

    nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-12345

    does not return any results (as the 12345 part was not indexed). Instead, you have to search for:

    nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-*

    This, as explained above, might find multiple results.

Overview:

Displays the number of log messages in the selected time interval.

Figure 206: Search > Logspaces — Log message overview

Use the and icons to zoom, and the arrows to display the previous or the next intervals. To change the timeframe, you can:

  • Change the beginning and the end date.

  • Click and drag the pointer across a period on the calendar bars to select a specific interval and zoom in.

  • Use the Jump to last option to select the last 15 minutes, hour, 6 hours, day, or week.

Hovering the mouse above a bar displays the number of results, and the start and end date of the period that the bar represents. Click a bar to display the results of that period in the table. Use Shift+Click to select multiple bars.

Action bar:

The search interface provides an action bar that allows you to:

It also displays the following information:

Figure 207: Search > Logspaces: Action bar

Link to a search query:

On clicking , the Bookmark links panel is displayed:

Figure 208: Search > Logspaces — Bookmark links panel

Bookmark links allow you to fetch a link to a search query so that you can:

  • Share your search queries with colleagues, who can then access the relevant search results in one click.

  • Save frequently used search queries as bookmark links.

The link in the Current view field provides a direct link to your search query and its results currently displayed on your screen. Whenever you open the bookmarked link from your browser, it will always return the same, fixed set of results. The start and end date that you set when executing the search query and fetching the link from the Bookmark links panel remain fixed.

The Last menu, on the other hand, allows you to specify an interval of time, for example, the last 15 minutes or the last hour, and fetch search results generated within that period. The search results that you access using this link may differ on two different occasions as the start point of the specified interval is always the moment you open the bookmarked link from your browser.

CSV export:

On clicking , the CSV export panel is displayed:

Figure 209: Search > Logspaces — CSV export panel

Clicking exports your search results into a CSV file. This saves the table as a text file containing comma-separated values. Note that if an error occurs when exporting the data, the exported CSV file will include a line (usually as the last line of the file) starting with a zero and the details of the problem, for example, 0<description_of_the_error>.

Caution:

Do not use Download CSV export to export large amounts of data, as exporting data can be very slow, especially if the system is under heavy load. If you regularly need a large portion of your data in plain text format, consider using the SSB RPC API (for details, see "The SSB RPC API" in the Administration Guide), or sharing the log files on the network and processing them with external tools (for details, see "Accessing log files across the network" in the Administration Guide).

Alert:

The alert functionality enables you to set up content-based alerts for search expressions of your choice. You will receive an alert when a match is found between the search expression and the contents of a log message. Note that the alerts are generated for only those log messages that are stored in the logspace(s) for which you set up the alert.

For detailed information on content-based alerts, see "Creating content-based alerts" in the Administration Guide.

Errors and warnings:

When any user action results in an error condition (for example, if you enter an invalid search expression, display statistics for a column that has not been indexed), an error or warning notification will be displayed on the action bar. Errors are shown in red letters, warnings are displayed in amber.

If there is more than one notification, the latest will be displayed and the number of notifications triggered will also be indicated. Clicking the notification will open an Errors and warnings panel:

Figure 210: Search > Logspaces — Errors and warnings panel

The Errors and warnings panel displays a list of errors/warnings with their time stamp and details of their cause.

You can clear notifications one by one by clicking next to the them, or clear all of them by clicking .

Search results:

After running a search query, the action bar displays the number of search results returned by the query. This is useful information when you are trying to find out how often a certain element appears in the logs.

List of log messages:

Use the arrow keys and the Page Up and Page Down keys to navigate the listed log messages, or use the mouse wheel to scroll. You can disable mouse wheel scrolling in your User menu > Preferences. If data is too long to fit on one line, it is automatically wrapped and only the first line is displayed.

Figure 211: Search > Logspaces — List of log messages

Details of a log message:

To expand a row in the list of log messages, click . The complete log message is displayed:

Figure 212: Search > Logspaces — Viewing a single log message

Use the arrow keys to jump to the previous or the next log message.

Use the Page Up and Page Down to jump to the 10th log message before or after the currently displayed log message. You can also jump to the previous or the next log message with the mouse wheel.

If the displayed log message consists of several pages of data, you can configure the mouse wheel to be able to use it for scrolling the message vertically. To do this, navigate to User menu > Preferences, deselect Mousewheel scrolling of search results and click Set options. This will disable jumping between log messages with the mouse wheel.

You can perform the following actions:

  • Click any word in the message to copy it to the Search field.

  • Click any of the dynamic columns (name-value pairs) to add it as a column to the list of log messages.

  • Click any of the icons to view the statistics of the selected category.

To return to the list of all log messages, click .

Customizing columns of the log message search interface

The following describes how to customize the data displayed on the log message search interface.

To customize the data displayed on the log message search interface

  1. Click Customize columns.

    The parameters used for the columns when displaying log messages are listed under Displayed columns. All other available parameters are listed under Available static columns and Available dynamic columns.

    Dynamic columns are created from structured data parameters (name-value pairs) in log messages stored on syslog-ng Store Box(SSB). Structured data parameters are detected and added to the list of customizable columns automatically. (For more information on the structured data part of log messages, see "The STRUCTURED-DATA message part" in the Administration Guide.)

    NOTE: To export the search results into a CSV file, click on the action bar. Note that the CSV file includes all the static columns and the displayed dynamic columns.

    Figure 213: Search > Logspaces > Customize columns — Customizing columns of the log message search interface

  2. To add a static column to the Displayed columns, click .

  3. To add a dynamic column to the Displayed columns, choose a name-value pair from Available dynamic columns and click .

    The selected name generates a new, separate dynamic column with a <name> heading (where <name> is the name of the key). The relevant values are displayed in the cells of the respective column.

  4. To remove parameters from the Visible columns, click .

  5. To display the full content of each column (including the log messages), enable Show full content of columns.

Metadata collected about log messages

The following information is available about the log messages:

  • Processed Timestamp: The date when syslog-ng Store Box(SSB) received the log message in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.

  • Timestamp: The time stamp received in the message — the time when the log message was created in YEAR-MONTH-DAY HOUR:MINUTE:SECOND format.

  • Facility: The facility that sent the message.

  • Priority: The priority value of the message.

  • Program: The application that created the message.

  • Pid: The program identifier of the application that created the message.

  • Host: The IP address or hostname of the client that sent the message to SSB.

  • Message: The text of the log message.

  • Tag: Tags assigned to the message matching certain pattern database rules.

  • Id: Unique ID of the message.

  • classifier.rule_id: ID of the pattern database rule that matched the message.

  • classifier.class: Description of the pattern database rule that matched the message.

  • Dynamic columns, created from additional name-value pairs, might also be available.

Documents connexes

The document was helpful.

Sélectionner une évaluation

I easily found the information I needed.

Sélectionner une évaluation