The indexer service saves the indexes for the fields that are selected and makes them searchable. Indexing fields consumes disk space and processing power.
This section lists the limitations of the indexer service, and provides instructions for configuring indexing for logstores.
Limitations:
-
Messages are tokenized based on the specified separator characters. Only the first 512 tokens are indexed in a message, the rest are ignored. This limitation does not affect other static fields (PROGRAM, HOST, and so on) or name-value pairs added by the pattern database or values coming from the SDATA part of incoming messages.
-
Whitespace characters (space, tabulator and so on) are always treated as delimiters.
-
Tokens that are shorter than 2 characters are not indexed.
-
Tokens are truncated to 59 characters. Therefore, tokens with at least 59 characters long common prefix will be handled as identical ones.
-
When indexing name-value pairs, the 59 characters limitation is applied to this format: "<name-of-nvpair>=<value-of-nvpair>". Do not use long name parts, in order to avoid the premature truncation of the value part.
-
The shortest timeframe for searching and creating statistics is 1 second. Smaller interval cannot be used.
-
The order of the tokens in a message is not preserved. Therefore, if one message contains 'first_token second_token' and another message contains 'second_token first_token' search expressions such as 'first_token second_token' will find both messages.
To configure the indexer service
-
Navigate to Log > Logspaces and select the logstore to index.
-
To enable automatic indexing of the logstore files, select the Enable option of the Indexer field.
-
To limit the number of hits when searching in the logstore, enter the maximum number of search result hits in the Maximum number of search results field.
To disable the limit, enter 0.
-
Enter the maximum amount of memory the indexer can use for the current logspace in the Memory limit field.
|
|
Caution:
Hazard of data loss. Increasing the Memory limit option too high (1280 MB) can cause message loss and degraded performance. The exact values that can cause problems depend on your configuration and environment.
Make sure that the sum of the memory of all indexed logspaces is smaller than the available memory in your syslog-ng Store Box (SSB) appliance. |
-
Configure the fields to be indexed in the Indexed fields.
NOTE: At least one field must be selected.
The following fields can be indexed: Facility, Priority, Program, Pid, Host, Tags, Name/value pairs, Message.
For the Name/value pairs field, select All to index all Name/value fields or enter the names to be indexed in the Only with the name field as comma-separated names.
If the indexing of the Message field is enabled, the current Delimiters are displayed. By default, the indexer uses the following delimiter characters to separate the message into words (tokens): & : ~ ? ! [ ] = , ; ( ) ' ".
If your messages contain segments that include one of these delimiters, and you want to search for these segments as a whole, remove the delimiter from the list. For example, if your log messages contain MAC addresses, and you want to be able to search for messages that contain a particular MAC address, delete the colon (:) character from the list of delimiters. Otherwise, the indexer will separate the MAC address into several tokens.
NOTE: It is not possible to search for the whitespace () character in the MESSAGE part of the log message, since it is a hard-coded delimiter character.
To access logstore files, you can:
-
Access the logstores using a network share.
This is the recommended method. For details, see Accessing log files across the network.
-
Log in to syslog-ng Store Box (SSB) locally, or remotely using SSH.
To display the contents of a logstore file, use the logcat command supplied with syslog-ng. For example:
logcat /var/log/messages.lgs
To display the contents of encrypted log files, specify the private key of the certificate used to encrypt the file. For example:
logcat -k private.key /var/log/messages.lgs
The contents of the file are sent to the standard output, so it is possible to use grep and other tools to find particular log messages. For example:
logcat /var/log/messages.lgs |grep 192.168.1.1
Every record that is stored in the logstore has a unique record ID. The logcat application can quickly jump to a specified record using the -- seek option.
For files that are in use by syslog-ng, the last chunk that is open cannot be read. Chunks are closed when their size reaches the limit set in the chunk_size parameter, or when the time limit set in the chunk_time parameter expires and no new message arrives.
When the logstore file is encrypted, a hash is also generated for every chunk to verify the integrity of the chunk. The hashes of the chunks are chained together to prevent injecting chunks into the logstore file. The encryption algorithm used is aes128 in CBC mode, the hashing (HMAC) algorithm is hmac-sha1.
|
|
Caution:
If the syslog-ng Premium Edition application or the computer crashes, an unclosed chunk remains at the end of the file. This chunk is marked as broken, its data stays there but is not shown by logcat. |
This section describes how to create a new logspace that stores messages in plain text files.
|
|
Caution:
Compared to binary logspaces (LogStore files), plain text logspaces have the following limitations.
-
Plain text logspaces are not indexed, and you cannot browse or search them on the syslog-ng Store Box (SSB) search interface.
-
You cannot create remote, filtered, or multiple logspaces using text logspaces.
-
You cannot access text logspaces using the SSB RPC API.
Use text logspaces only if you want to access them as a shared file from an external application. For details, see Accessing log files across the network.
You can also configure SSB to store the messages in a plain text logspace (so you can share it) and in a LogStore file at the same time, so you can access them from the SSB search interface. To accomplish this, configure a log path that has two destinations (one plain text, one LogStore), and disable the Log > Paths > Final option for the first path. |
NOTE: If there are any multiple logspaces using your logspace as a member logspace, the multiple logspaces in question will be listed under Multiple logspaces using this as member. The list items are clickable links that will take you directly to the logspaces on the SSB web interface.
This list is only visible on the SSB web interface for Logspaces, Filtered Logspaces, Multiple Logspaces, and Remote Logspaces if they are member logspaces in any multiple logspaces.
To create a new logspace that stores messages in plain text files
-
Navigate to Log > Logspaces and click 
.
-
Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily.
Figure 128: Log > Logspaces — Creating a new text logspace
-
Select Text file from the Type field.
-
Select the template to use for parsing the log messages. The following templates are available:
-
Legacy corresponds to the following syslog-ng template:
template("${DATE} ${HOST} ${MSGHDR}${MSG\n}")
-
ISO date corresponds to the following syslog-ng template:
template("${ISODATE} ${HOST} ${MSGHDR}${MSG\n}")
-
Extended is a deprecated option. Currently it duplicates the functionality of ISO date.
-
Custom specifies a custom syslog-ng template in the appearing Template field.
For details on using syslog-ng templates, see .
-
Select how to organize the log files of this logspace from the Filename template field.
-
To save every message received during a day into a single file, select All messages in one file.
-
To create a separate log file for every peer (IP address or hostname) that sends messages, select the Per host option. This option corresponds to using the ${HOST} macro of syslog-ng.
-
To create a separate log file for every application that sends messages, select the Per application option. This option corresponds to using the ${PROGRAM} macro of syslog-ng.
-
To create a separate log file for every application of every peer (IP address or hostname) that sends messages, select Per host and application option. This option corresponds to using the ${HOST}-${PROGRAM} macros of syslog-ng.
-
To specify a custom template for naming the log files, select the Custom option and enter the template into the appearing Template field.
NOTE:
For details on using filename templates, see .
Templates that generate an invalid path (for example, they use a filename longer than 246 characters or refer to a parent directory) will not work.
-
To create automatic daily backups of the logspace to a remote server, create a backup policy and select it from the Backup policy field. For details on creating backup policies, see Data and configuration backups.
-
To archive the logspace automatically daily, create an archiving policy and select it from the Archive/Cleanup policy field. For details on creating archiving policies, see Archiving and cleanup.
|
|
Caution:
Use archiving and cleanup policies to remove older logfiles from SSB, otherwise the hard disk of SSB may become full. |
-
To make the log files of this logspace available via the network, create a sharing policy and select it from the Sharing policy field. For details on creating sharing policies, see Accessing log files across the network.
-
Set a size for the logspace in the Warning size field: SSB will send an alert if the size of this logspace exceeds the limit.
|
|
Caution:
Make sure that the Logspace exceeded warning size alert is enabled in Basic Settings > Alerting > syslog-ng traps, and that the mail settings of Basic Settings > Management, and the SNMP settings of Basic Settings > Alerting are correct. Otherwise, you will not receive any alert when the logspace exceeds the size limit. For details on alerting and monitoring, see also Configuring system monitoring on SSB. |
-
By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.
-
Click 
.
in the Encryption certificate field.
