This knowledge base article is to help migrating Syslog-ng Store Box (SSB) from an old appliance to a new one.
The procedure is based on the SSB's backup and restore functionality, that is backward compatible.
It should work in any migration scenario independently of the SSB version and machine type.
Please note that migrations are not supported. For assistance with migrations please contact Professional Services.
The support of hardware or SSB version has ended.
Warning! Migrating to a newer version is only recommended if upgrading from an SSB 4 virtual to another virtual appliance.
HA cluster: Both node can be prepared and installed, but during the migration only the master node should be up and running.
During the migration SSB will not receive log messages. To prevent log messages the client have to be prepared to the migration as well.
To prevent message loss we should revise the environment in the view of transport method TCP or UDP.
In case of TCP the client/relay notices that the SSB is not available and buffers the outgoing messages.
But UDP is stateless so the client/relay continues to send logs messages, which will be lost.
The exact solution depends on the environment. Here you can find some general solutions.
The recommended and most efficient solution is to have syslog-ng relays to collect the logs of all clients and forward them to SSB.
Disk-buffer must be enabled for the SSB destination and must have sufficient size to store the logs during the migration.
For more details see the administration guide.
In syslog-ng clients disk-buffer can be configured, just like in relays.
Log collection from static sources like file or sql database can be stopped by disabling the log paths using the sources.
1. Disable syslog-ng at Basic Settings | System | Service control | Syslog traffic, indexing & search: Disable
2. Creating backups
a. Run System backup at Settings | Management | System backup | Backup now
b. Run Data backup at Log | Logspaces | Backup ALL
3. Export configuration at Basic Settings | System | Export configuration
4. Shut down the appliance when the e-mail notifications about the successful backups have arrived at Basic Settings | System | System control | Shutdown
HA cluster: The slave node have to be shut down before the master node. It can be done when the backup is running.
5. Open the new SSB's WEB UI. You should see the Welcome Wizard.
6. Upload the recently exported configuration file and press Next. SSB will import the configuration and start in demo mode.
7. Upload the new license file at Basic Settings | System | License
8. Restoring data.
a. Run system restore at Basic Settings | Management | System backup | Restore Now
System restore usually takes a few minutes only.
b. Run data restore at Log | Logspaces | Restore ALL
Data restore may take more time depending on the amount of data. See note.
9. Migration check.
a. While data is being restored check the system.
- Recommended configurations checks
- Recommended metadata checks (Depending on configuration, results may vary)
Reports | Generated reports
Search | Archive & Cleanup
AAA | Accounting
b. When the data restore is finished, check if all data has been migrated at Search | Logspaces.
10. Restart syslog-ng at Basic Settings | System | Service control | Restart syslog-ng
Additional steps for HA cluster:
- Start up the slave node.
The HA synchronization should be starting from the master node.
- Check the status of HA at Basic Settings | High Availability.
Migration from SSB 4:
Searching in logs migrated from SSB 4 will generate the notification: "Search time interval is smaller than timeindex precision".
It is because searching precision has been improved in SSB 5 LTS.
The notification can be ignored.
© 2022 One Identity LLC. ALL RIGHTS RESERVED. Feedback 利用規約 プライバシー