To display statistics about the log messages, click the 
icon in the appropriate header of the table.
You can choose from Bar chart or Pie chart & List.
NOTE: For performance reasons, when creating statistics for a Multiple Logspace (see "Creating multiple logspaces" in the Administration Guide), syslog-ng Store Box(SSB) does not create statistics if the data upon which the statistics is based (for example, the hostname) has over 1000 entries in any of the member logspaces. In this case, SSB displays the Number of member statistics has too many entries error message.
Figure 220: Search > Logspaces — Displaying log statistics as Bar chart
In Pie chart & List view, percentages add up to 100%. The only exception to this is when statistics are based on Tags. Since statistics are provided for tags rather than messages, when messages have multiple tags, the percentages may add up to more than 100%.
Figure 221: Search > Logspaces — Displaying log statistics as Pie chart & List
Statistics will show the item with the largest number of entries first. To display the item with the least number of entries first, select Least.
NOTE: When navigating to the "future" in the search bar, it is possible that the number of logs displayed in the Search results differs from the number of logs displayed in the Count part of the Host pie chart.
To avoid this, do not navigate to the "future".
If this has already happened, save the search expression that you have used somewhere, and then refresh the page by clicking Log > Search again. Note that it will display the original state of the Search page, meaning that for example it will remove all search expressions that you have entered before.
You can export these statistics in CSV format using the Export all to CSV option, or you can include them in reports as a subchapter.
You can save log statistics to include them in reports as a subchapter.
Figure 222: Search > Logspaces — Creating reports from custom log statistics
-
In the Statistics view, click Report settings.
-
Add a name for the statistics in the Report subchapter name field.
-
Select the Visualization for the report: List, Pie chart, or Bar chart.
-
Choose how the entries are sorted: descending (Top) or ascending (Least).
-
Choose the Number of entries to include.
NOTE: Selecting All includes only the first 1000 results. The remaining results are aggregated as 'others'.
NOTE: For performance reasons, when creating statistics for a Multiple Logspace (see "Creating multiple logspaces" in the Administration Guide), syslog-ng Store Box(SSB) does not create statistics if the data upon which the statistics is based (for example, the hostname) has over 1000 entries in any of the member logspaces. In this case, SSB displays the Number of member statistics has too many entries error message.
-
Select the user group that can access the subchapter in the Grant access for the following user groups field.
-
Click Save as Report subchapter.
-
To add the saved subchapter to a report, follow the instructions provided in Configuring custom reports.
The syslog-ng Store Box(SSB) appliance can create content-based alerts about log messages based on specific search expressions. Search queries are run every few seconds and an alert is triggered whenever a match between the contents of a log message and a search expression is found. Alerts are collected and sent to a pre-defined email address (or email addresses).
Some log messages might have particular significance and therefore getting notifications about those can often be more efficient than searching for them manually.
You can set up or modify alerts for local logspaces or those logspaces to which you have the relevant privileges, meaning that:
-
Either the relevant user group has been assigned read and write/perform access to the Search > Logs object on the AAA > Access Control page.
-
Or the user group has been added under the Access control option of the relevant logspace on the Log > Logspaces page.
There are two ways to create alerts, using the search interface or the Search > Content-Based Alerts page:
NOTE: Content-based alerting is currently not available for filtered, multiple, and remote logspaces.
NOTE: In the case of encrypted logspaces, no decryption key is required for content-based alerting to work. SSB has access to the log messages while processing them, and the indexer and content-based alerting services run before encryption happens.
This section describes how to set up alerts using the search interface.
To set up alerts using the search interface
-
Configure a target where you wish to send your content-based alerts.
Alert targets are set up and modified by superusers or user groups that have been assigned read and write/perform access to the Policies object on the AAA > Access Control page.
To specify an alert target:
-
Go to Policies > Alert targets.
-
Click 
.
The new tab that opens allows you to record an alert target.
Figure 223: Policies > Alert targets — Alert targets page
-
Enter a name for your alert target.
NOTE: Alert target names must be unique.
-
In the Target email address field, enter the email address where you wish to send alerts.
NOTE: You can specify only one email address per target. However, you can add multiple targets per alert, which allows you to send a specific alert to more than one email addresses (if required).
-
In the Cooldown period field, enter the minimum amount of time (in seconds) that should pass between the sending of two alert messages to this target.
The minimum value is 60 seconds, and the maximum value is 999999 seconds.
NOTE: An alert message is sent only when a match is found between the contents of log messages and a search expression. This means that if no match is found, more time may pass between two alert messages than the interval specified as the cooldown period.
-
Click 
to save your details.
Expected result:
You have successfully configured a target for your alert where alert messages will be sent.
-
Optional step: You can also specify the email address from which the alerts are sent to your targets. Configuring an email address from where you wish to receive emails can be useful for filtering purposes. If you do not specify such an email address, a default one will be used.
For detailed instructions, see the steps describing how to specify a Send e-mails as email address in "Configuring e-mail alerts" in the Administration Guide.
-
Once you have set up a target or targets, navigate to the search interface by going to Search > Logspaces.
Figure 224: Search > Logspaces — Setting up alerts on the search interface
-
In the Logspace name menu, select the relevant logspace.
-
In the Search expression field, enter the search expression that you wish to receive alerts about and click 
.
-
To configure additional details for the alert, click 
. The Content-based alerting panel is displayed.
Figure 225: Search > Logspaces — Content-based alerting panel
The Logspace field displays the name of the logspace that you have selected from the Logspace name menu. The Search expression field displays the search expression that you entered in the Search expression field.
-
Enter a name for your alert in the Alert name field.
NOTE: Alert names must be globally unique. Using a prefix before alert names can help avoid specifying a name that is already in use.
-
Select a target from Targets. You can select multiple targets if you wish to distribute the alert to multiple email addresses.
You can remove targets you have already added by clicking 
in front of the target's name.
-
To save your details, click 
.
