Converse agora com nosso suporte
Chat com o suporte

syslog-ng Store Box 7.4.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Using name resolution on SSB

The syslog-ng Store Box(SSB) appliance can resolve the hostnames of the clients and include them in the log messages. However, the performance of SSB can be severely degraded if the domain name server is unaccessible or slow. Therefore, SSB automatically caches the results of name resolution. If you experience performance problems under high load, it is recommended to disable name resolution. If you must use name resolution, consider the following:

  • If the IP addresses of the clients change only rarely, set the expiry of the DNS cache to a large value. By default, SSB caches successful DNS lookups for an hour, and failed lookups for one minute. These parameters can be adjusted under Log > Options > Options > DNS Cache expiry and Failed DNS cache expiry.

    Figure 205: Log > Options > Options > DNS Cache expiry — Configuring DNS options

  • Resolve the hostnames locally. Resolving hostnames locally enables you to display hostnames in the log files for frequently used hosts, without having to rely on a DNS server. The known IP address hostname pairs are stored locally in a file. In the log messages, syslog-ng PE will replace the IP addresses of known hosts with their hostnames. To configure local name resolution, select Log > Options > Name resolving, and enter the IP Address - hostname pairs in (for example 192.168.1.1 myhost.example.com) into the Persistent hostname list field. Then navigate to Log > Sources, and set the Use DNS option of your sources to Only from persistent configuration.

    Figure 206: Log > Options > Name resolving — Configuring persistent name resolution

Setting the certificates used in TLS-encrypted log transport

This section describes how to set a custom certificate and a CA certificate for encrypting the transfer of log messages.

NOTE: If you do not upload a certificate to encrypt the TLS communication (that is, the TLS certificate and TLS private key options are not set), syslog-ng Store Box (SSB) uses the certificate and CA certificate set for the web interface (set under Basic Settings > Management > SSL certificates) for this purpose as well.

One Identity recommends:

  • Using 2048-bit RSA keys (or stronger).

  • Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.

To set a custom certificate and a CA certificate for encrypting the transfer of log messages

  1. In your PKI system, generate and sign a certificate for SSB, then navigate to Log > Options > TLS settings.

  2. Click the icon in the TLS certificate field to upload the certificate.

    Figure 207: Log > Options > TLS settings — Configuring TLS settings for syslog-ng

    To upload a certificate from a file, click Browse in the Upload key section, select the certificate file, and click Upload. Alternatively, you can copy/paste the certificate into the Key field of the Copy-paste key section and click Upload.

    You can choose to upload a single certificate or a certificate chain (that is, intermediate certificates and the end-entity certificate).

    After uploading a certificate or certificate chain, you can review details by clicking the name of the certificate, and looking at the information displayed in the pop-up window that comes up.

    Figure 208: Log > Options > TLS settings — X.509 certificate details

    The pop-up window allows you to:

    • Download the certificate or certificate chain.

      NOTE: Certificate chains can only be downloaded in PEM format.

    • View and copy the certificate or certificate chain.

    • Check the names and the hierarchy of certificates (if it is a certificate chain and there is more than one certificate present).

      On hovering over a certificate name, the subject of the certificate is displayed, describing the entity certified.

    • Check the validity dates of the certificate or certificates making up the chain.

      On hovering over a particular date, the exact time of validity is also displayed.

    After uploading the certificate or certificate chain, the presence or absence of the string (chain) displayed after the name of the certificate will indicate whether the certificate is a certificate chain or a single certificate.

  3. Click the icon in the TLS private key field and upload the private key corresponding to the certificate.

  4. To set the certificate of the Certificate Authority (CA) used to verify the identity of the peers, click in the Certificate Authorities field, then click .

    Figure 209: Log > Options > TLS settings > Certificate Authorities — Uploading certificates

    To upload a certificate from a file, click Browse in the Upload key section, select the certificate file, and click Upload.

    Alternatively, you can copy/paste the certificate into the Key field of the Copy-paste key section and click Upload.

    Repeat this step to add more CA certificates if needed.

  5. If the CA issues a Certificate Revocation List (CRL), enter its URL into the CRL URL field. SSB periodically downloads the list and refuses certificates that appear on the list.

    NOTE: Note that only .pem format CRLs are accepted. CRLs that are in PKCS7 format (.crl) are not accepted.

  6. If you want to accept connections only from hosts using certain certificates signed by the CA, click in the Trusted distinguished names field and enter the distinguished name (DN) of the accepted certificates into the Distinguished name field. This option corresponds to the trusted-dn() parameter of syslog-ng.

    For example, *, O=Example Inc, ST=Some-State, C=* accepts only certificates issued for the Example Inc organization in Some-State state.

  7. If you want to accept connections only from hosts using certain certificates that have specific SHA-1 fingerprints, click in the Trusted fingerprints field and enter the SHA-1 fingerprint of the accepted certificates into the SHA-1 fingerprint field. This option corresponds to the trusted-keys() parameter of syslog-ng.

    Example: 00:EF:ED:A4:CE:00:D1:14:A4:AB:43:00:EF:00:91:85:FF:89:28:8F, 0C:42:00:3E:B2:60:36:64:00:E2:83:F0:80:46:AD:00:A8:9D:00:15 adds these specific SHA-1 fingerprints: 00:EF:ED:A4:CE:00:D1:14:A4:AB:43:00:EF:00:91:85:FF:89:28:8F and 0C:42:00:3E:B2:60:36:64:00:E2:83:F0:80:46:AD:00:A8:9D:00:15.

    NOTE: When using the trusted-keys() and trusted-dn() parameters at the same time, note the following:

    • If the fingerprint of the peer is listed in the trusted-keys() parameter and the DN of the peer is listed in the trusted-dn() parameter, then the certificate validation is performed.

    • If either the fingerprint of the peer is not listed in the trusted-keys() parameter or the DN of the peer is not listed in the trusted-dn() parameter, then the authentication of the peer fails and the connection is closed.

Searching log messages

This section describes how to browse the log messages collected on syslog-ng Store Box(SSB).

Using the search interface

The syslog-ng Store Box(SSB) appliance has a search interface for browsing the collected log messages. You can choose the logspace, enter a search expression, specify the timeframe, and browse the results here.

This section walks you through the main parts of the search interface.

To access the search interface, navigate to Search > Logspaces.

Figure 210: Search > Logspaces — The log message search interface

Logspaces:

To choose the appropriate logspace, use the Logspace name menu. Note that you cannot access plain text logspaces on the SSB search interface.

For more information on the available logspaces, and how to configure them, see Storing messages on SSB in the Administration Guide.

Search:

On the log message search interface, you can use the Search expression field to search the full list of log messages. Search expressions are case insensitive, with the exception of operators (like AND, OR, etc.), which must always be capitalized. Click the icon, or see Using complex search queries for more details.

When searching log messages, the capabilities of the search engine depend on the delimiters used to index the particular logspace. For details on how to configure the delimiters used for indexing, see Creating logstores in the Administration Guide.

NOTE: You can search in indexed logspaces even if log traffic is disabled.

You can create complex searches using wildcards and boolean expressions. For more information and practical examples, see Using complex search queries.

NOTE: SSB only indexes the first 59 characters of every name-value pair (parameter). This has two consequences:

  • If the parameter is longer than 59 characters, an exact search might deliver multiple, imprecise results.

    Consider the following example. If the parameter is:

    .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

    SSB indexes it only as:

    .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-

    This corresponds to the first 59 characters. As a result, searching for:

    nvpair:.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

    returns all log messages that contain:

    .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-
  • Using wildcards might lead to the omission of certain messages from the search results.

    Using the same example as above, searching for the value:

    nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-12345

    does not return any results (as the 12345 part was not indexed). Instead, you have to search for:

    nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-*

    This, as explained above, might find multiple results.

Overview:

Displays the number of log messages in the selected time interval.

Figure 211: Search > Logspaces — Log message overview

Use the and icons to zoom, and the arrows to display the previous or the next intervals. To change the timeframe, you can:

  • Change the beginning and the end date.

  • Click and drag the pointer across a period on the calendar bars to select a specific interval and zoom in.

  • Use the Jump to last option to select the last 15 minutes, hour, 6 hours, day, or week.

Hovering the mouse above a bar displays the number of results, and the start and end date of the period that the bar represents. Click a bar to display the results of that period in the table. Use Shift+Click to select multiple bars.

Action bar:

The search interface provides an action bar that allows you to:

It also displays the following information:

Figure 212: Search > Logspaces: Action bar

Link to a search query:

On clicking , the Bookmark links panel is displayed:

Figure 213: Search > Logspaces — Bookmark links panel

Bookmark links allow you to fetch a link to a search query so that you can:

  • Share your search queries with colleagues, who can then access the relevant search results in one click.

  • Save frequently used search queries as bookmark links.

The link in the Current view field provides a direct link to your search query and its results currently displayed on your screen. Whenever you open the bookmarked link from your browser, it will always return the same, fixed set of results. The start and end date that you set when executing the search query and fetching the link from the Bookmark links panel remain fixed.

The Last menu, on the other hand, allows you to specify an interval of time, for example, the last 15 minutes or the last hour, and fetch search results generated within that period. The search results that you access using this link may differ on two different occasions as the start point of the specified interval is always the moment you open the bookmarked link from your browser.

CSV export:

On clicking , the CSV export panel is displayed:

Figure 214: Search > Logspaces — CSV export panel

Clicking exports your search results into a CSV file. This saves the table as a text file containing comma-separated values. Note that if an error occurs when exporting the data, the exported CSV file will include a line (usually as the last line of the file) starting with a zero and the details of the problem, for example, 0<description_of_the_error>.

Caution:

Do not use Download CSV export to export large amounts of data, as exporting data can be very slow, especially if the system is under heavy load. If you regularly need a large portion of your data in plain text format, consider using the SSB RPC API (for details, see The SSB RPC API in the Administration Guide), or sharing the log files on the network and processing them with external tools (for details, see Accessing log files across the network in the Administration Guide).

Alert:

The alert functionality enables you to set up content-based alerts for search expressions of your choice. You will receive an alert when a match is found between the search expression and the contents of a log message. Note that the alerts are generated for only those log messages that are stored in the logspace(s) for which you set up the alert.

For detailed information on content-based alerts, see Creating content-based alerts in the Administration Guide.

Errors and warnings:

When any user action results in an error condition (for example, if you enter an invalid search expression, display statistics for a column that has not been indexed), an error or warning notification will be displayed on the action bar. Errors are shown in red letters, warnings are displayed in amber.

If there is more than one notification, the latest will be displayed and the number of notifications triggered will also be indicated. Clicking the notification will open an Errors and warnings panel:

Figure 215: Search > Logspaces — Errors and warnings panel

The Errors and warnings panel displays a list of errors/warnings with their time stamp and details of their cause.

You can clear notifications one by one by clicking next to the them, or clear all of them by clicking .

Search results:

After running a search query, the action bar displays the number of search results returned by the query. This is useful information when you are trying to find out how often a certain element appears in the logs.

List of log messages:

Use the arrow keys and the Page Up and Page Down keys to navigate the listed log messages, or use the mouse wheel to scroll. You can disable mouse wheel scrolling in your User menu > Preferences. If data is too long to fit on one line, it is automatically wrapped and only the first line is displayed.

Figure 216: Search > Logspaces — List of log messages

Details of a log message:

To expand a row in the list of log messages, click . The complete log message is displayed:

Figure 217: Search > Logspaces — Viewing a single log message

Use the arrow keys to jump to the previous or the next log message.

Use the Page Up and Page Down to jump to the 10th log message before or after the currently displayed log message. You can also jump to the previous or the next log message with the mouse wheel.

If the displayed log message consists of several pages of data, you can configure the mouse wheel to be able to use it for scrolling the message vertically. To do this, navigate to User menu > Preferences, deselect Mousewheel scrolling of search results and click Set options. This will disable jumping between log messages with the mouse wheel.

You can perform the following actions:

  • Click any word in the message to copy it to the Search field.

  • Click any of the dynamic columns (name-value pairs) to add it as a column to the list of log messages.

  • Click any of the icons to view the statistics of the selected category.

To return to the list of all log messages, click .

Documentos relacionados

The document was helpful.

Selecione a classificação

I easily found the information I needed.

Selecione a classificação