Chatta subito con l'assistenza
Chat con il supporto

syslog-ng Store Box 7.0.4 LTS - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Viewing encrypted logs with logcat

To access logstore files, you can:

  • Access the logstores using a network share.

    This is the recommended method. For details, see Accessing log files across the network.

  • Log in to syslog-ng Store Box (SSB) locally, or remotely using SSH.

To display the contents of a logstore file, use the logcat command supplied with syslog-ng PE. For example:

logcat /var/log/messages.lgs

To display the contents of encrypted log files, specify the private key of the certificate used to encrypt the file. For example:

logcat -k private.key /var/log/messages.lgs

The contents of the file are sent to the standard output, so it is possible to use grep and other tools to find particular log messages. For example:

logcat /var/log/messages.lgs |grep 192.168.1.1

Every record that is stored in the logstore has a unique record ID. The logcat application can quickly jump to a specified record using the -- seek option.

For files that are in use by syslog-ng, the last chunk that is open cannot be read. Chunks are closed when their size reaches the limit set in the chunk_size parameter, or when the time limit set in the chunk_time parameter expires and no new message arrives.

When the logstore file is encrypted, a hash is also generated for every chunk to verify the integrity of the chunk. The hashes of the chunks are chained together to prevent injecting chunks into the logstore file. The encryption algorithm used is aes128 in CBC mode, the hashing (HMAC) algorithm is hmac-sha1.

Caution:

If the syslog-ng Premium Edition application or the computer crashes, an unclosed chunk remains at the end of the file. This chunk is marked as broken, its data stays there but is not shown by logcat.

Creating text logspaces

This section describes how to create a new logspace that stores messages in plain text files.

Caution:

NOTE: If there are any multiple logspaces using your logspace as a member logspace, the multiple logspaces in question will be listed under Multiple logspaces using this as member. The list items are clickable links that will take you directly to the logspaces on the SSB web interface.

This list is only visible on the SSB web interface for Logspaces, Filtered Logspaces, Multiple Logspaces, and Remote Logspaces if they are member logspaces in any multiple logspaces.

To create a new logspace that stores messages in plain text files

  1. Navigate to Log > Logspaces and click .

  2. Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily.

    Figure 138: Log > Logspaces — Creating a new text logspace

  3. Select Text file from the Type field.

  4. Select the template to use for parsing the log messages. The following templates are available:

    • Legacy corresponds to the following syslog-ng template:

      template("${DATE} ${HOST} ${MSGHDR}${MSG\n}")
    • ISO date corresponds to the following syslog-ng template:

      template("${ISODATE} ${HOST} ${MSGHDR}${MSG\n}")
    • Extended is a deprecated option. Currently it duplicates the functionality of ISO date.

    • Custom specifies a custom syslog-ng template in the appearing Template field.

      For details on using syslog-ng templates, see .

  5. Select how to organize the log files of this logspace from the Filename template field.

    • To save every message received during a day into a single file, select All messages in one file.

    • To create a separate log file for every peer (IP address or hostname) that sends messages, select the Per host option. This option corresponds to using the ${HOST} macro of syslog-ng.

    • To create a separate log file for every application that sends messages, select the Per application option. This option corresponds to using the ${PROGRAM} macro of syslog-ng.

    • To create a separate log file for every application of every peer (IP address or hostname) that sends messages, select Per host and application option. This option corresponds to using the ${HOST}-${PROGRAM} macros of syslog-ng.

    • To specify a custom template for naming the log files, select the Custom option and enter the template into the appearing Template field.

      NOTE:

      For details on using filename templates, see .

      Templates that generate an invalid path (for example, they use a filename longer than 246 characters or refer to a parent directory) will not work.

  6. To create automatic daily backups of the logspace to a remote server, create a backup policy and select it from the Backup policy field. For details on creating backup policies, see Data and configuration backups.

  7. To archive the logspace automatically daily, create an archiving policy and select it from the Archive/Cleanup policy field. For details on creating archiving policies, see Archiving and cleanup.

    Caution:

    Use archiving and cleanup policies to remove older logfiles from SSB, otherwise the hard disk of SSB may become full.

  8. To make the log files of this logspace available via the network, create a sharing policy and select it from the Sharing policy field. For details on creating sharing policies, see Accessing log files across the network.

  9. Set a size for the logspace in the Warning size field: SSB will send an alert if the size of this logspace exceeds the limit.

    Caution:

    Make sure that the Logspace exceeded warning size alert is enabled in Basic Settings > Alerting > syslog-ng traps, and that the mail settings of Basic Settings > Management, and the SNMP settings of Basic Settings > Alerting are correct. Otherwise, you will not receive any alert when the logspace exceeds the size limit. For details on alerting and monitoring, see also Configuring system monitoring on SSB.

  10. By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.

  11. Click .

Managing logspaces

Logspaces are mostly managed automatically using backup and archiving policies, as described in Data and configuration backups and Archiving and cleanup. However, backup and archiving can be started manually as well. To display the details of a logspace, click . A number of action buttons is shown in the top row.

NOTE: These options are not available for filtered and remote logspaces.

NOTE: If there are any multiple logspaces using your logspace as a member logspace, the multiple logspaces in question will be listed under Multiple logspaces using this as member. The list items are clickable links that will take you directly to the logspaces on the SSB web interface.

This list is only visible on the SSB web interface for Logspaces, Filtered Logspaces, Multiple Logspaces, and Remote Logspaces if they are member logspaces in any multiple logspaces.

Figure 139: Log > Logspaces > Get current size — Managing logspaces

Archive, backup, cleanup, restore and emptying options

TIP: The size of the logspace is displayed in the Size row of the logspace details. To refresh the data, select Get current size.

  • To start the backup process manually, click Backup.

  • To restore the log files from the backup server to syslog-ng Store Box (SSB), click Restore.

    Caution:

    Restoring the backup replaces every log file of the logspace with the files from the backup. Any log message saved into the logspace since the backup is irrevocably lost.

  • To start the archiving and the cleanup process manually, click Archive/Cleanup.

    Caution:

    If the archiving policy selected for the logspace is set to perform only cleanup, log messages older than the Retention Time are deleted and irrevocably lost. For details, see Archiving and cleanup.

  • To delete every log file in the logspace, click Empty. This option can be useful if you have to quickly free up space on SSB, or if you want to delete a logspace.

    Caution:

    This action deletes every file of the logspace. Any log message not archived or backed up is irrevocably lost.

    You can still search archived logs of the logspace.

Similar action buttons are available at the top of the Log > Logspaces page to backup, archive, or delete the contents of every logspace. These actions are performed on every logspace with their respective settings, that is, clicking Backup All creates a backup of every logspace using the backup policy settings of the individual logspace.

Disk space
Type

Managing logspaces - Archive and backup logspaces

Logspaces are mostly managed automatically using backup and archiving policies, as described in Data and configuration backups and Archiving and cleanup. However, backup and archiving can be started manually as well. To display the details of a logspace, click . A number of action buttons is shown in the top row.

NOTE: These options are not available for filtered and remote logspaces.

NOTE: If there are any multiple logspaces using your logspace as a member logspace, the multiple logspaces in question will be listed under Multiple logspaces using this as member. The list items are clickable links that will take you directly to the logspaces on the SSB web interface.

This list is only visible on the SSB web interface for Logspaces, Filtered Logspaces, Multiple Logspaces, and Remote Logspaces if they are member logspaces in any multiple logspaces.

Figure 140: Log > Logspaces — Managing logspaces

TIP: The size of the logspace is displayed in the Size row of the logspace details. To refresh the data, select Get current size.

  • To start the backup process manually, click Backup.

  • To restore the log files from the backup server to syslog-ng Store Box (SSB), click Restore.

    Caution:

    Restoring the backup replaces every log file of the logspace with the files from the backup. Any log message saved into the logspace since the backup is irrevocably lost.

  • To start the archiving and the cleanup process manually, click Archive/Cleanup.

    Caution:

    If the archiving policy selected for the logspace is set to perform only cleanup, log messages older than the Retention Time are deleted and irrevocably lost. For details, see Archiving and cleanup.

  • To delete every log file in the logspace, click Empty. This option can be useful if you have to quickly free up space on SSB, or if you want to delete a logspace.

    Caution:

    This action deletes every file of the logspace. Any log message not archived or backed up is irrevocably lost.

    You can still search archived logs of the logspace.

Similar action buttons are available at the top of the Log > Logspaces page to backup, archive, or delete the contents of every logspace. These actions are performed on every logspace with their respective settings, that is, clicking Backup All creates a backup of every logspace using the backup policy settings of the individual logspace.

Related Documents

The document was helpful.

Seleziona valutazione

I easily found the information I needed.

Seleziona valutazione