Chat now with support
Chat with Support

syslog-ng Store Box 6.9.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Creating remote logspaces

The syslog-ng Store Box (SSB) appliance can access and search logspaces (including filtered logspaces) on other SSB appliances. To configure SSB to access a logspace on another (remote) SSB, set up a remote logspace.

Once configured, remote logspaces can be searched like any other logspace on SSB. You can also create filtered logspaces that are based on the remote logspace.

NOTE: Note that you cannot alter the configuration, archive, back up, or empty the contents of the logspace on the remote SSB.

NOTE: If the remote logspace becomes inaccessible, you will not be able to view the contents of that logspace.

NOTE: If there are any multiple logspaces using your logspace as a member logspace, the multiple logspaces in question will be listed under Multiple logspaces using this as member. The list items are clickable links that will take you directly to the logspaces on the SSB web interface.

This list is only visible on the SSB web interface for Logspaces, Filtered Logspaces, Multiple Logspaces, and Remote Logspaces if they are member logspaces in any multiple logspaces.

Figure 135: Log > Remote Logspaces — Remote logspaces

Prerequisites:

  • You have verified that the version number of the remote SSB equals (or exceeds) the version number of the SSB where the remote logspace is created.

  • You have configured a user on the remote SSB that can access the logspace you want to reach.

  • If the logspace is encrypted, you have verified that the user has the necessary certificates.

  • You have downloaded the CA X.509 certificate of the remote SSB.

    To download the server certificate, navigate to Basic Settings > Management > SSL certificate > CA X.509 certificate, and click on the certificate.

To create remote logspaces

  1. Navigate to Log > Remote Logspaces and click .

  2. Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily. Note that the name of the logspace must begin with a number or a letter.

  3. Enter the IP address or hostname of the remote SSB in the Host field.

  4. Enter the username of the user configured for accessing the logspace on the remote SSB in the Username field.

  5. Enter the password of the same user in the Password field.

  6. Enter the name of the logspace as it appears on the remote SSB in the Remote logspace name field.

  7. In the Remote certificate authority section, click to upload the server certificate of the remote SSB. A pop-up window is displayed.

    NOTE:

    It is not possible, nor required to upload a certificate chain to Remote certificate authority. The certificate chain is used by the server, not the remote logspace.

    If you want to use a certificate chain when authenticating to a remote logspace, do the following:

    1. Upload the root CA to Log > Remote Logspaces > Remote certificate authority.

    2. Upload the intermediate CA and end-entity (server) certificate to Basic Settings > Management > SSL certificate > Server X.509 certificate.

    Click Browse, select the certificate of the remote SSB, then click Upload.

  8. By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.

  9. Click .

Creating multiple logspaces

If you have several syslog-ng Store Box (SSB) appliances located at different sites, you can view and search the logs of these machines from the same web interface without having to log on to several different interfaces.

Creating multiple logspaces can also be useful if you want to pre-filter log messages based on different aspects and then share these filtered logs only with certain user groups.

Multiple logspaces aggregate the messages that arrive from the member logspaces within the group. The new log messages are listed below each other every second.

Once configured, multiple logspaces can be searched like any other logspace on SSB. You can also create filtered logspaces that are based on the multiple logspaces.

NOTE: Multiple logspaces are only a view of the member logspaces. The log messages are still stored in the member logspaces (if the member logspace is a remote logspace, the log messages are stored on the remote SSB). As a result, you cannot alter any configuration parameters of the logspace directly. To do this, navigate to the member logspace itself.

NOTE: If a remote member logspace becomes inaccessible, you will not be able to view the contents of that logspace.

NOTE: Using multiple logspaces may decrease the performance of the appliance. If possible, manage your logspaces without using multiple logspaces (for example, instead of including several filtered logspaces into a multiple logspace, use several search expressions in a filtered logspace).

NOTE: If there are any multiple logspaces using your logspace as a member logspace, the multiple logspaces in question will be listed under Multiple logspaces using this as member. The list items are clickable links that will take you directly to the logspaces on the SSB web interface.

This list is only visible on the SSB web interface for Logspaces, Filtered Logspaces, Multiple Logspaces, and Remote Logspaces if they are member logspaces in any multiple logspaces.

Figure 136: Log > Multiple Logspaces — Creating multiple logspaces

To create multiple logspaces

  1. Navigate to Log > Multiple Logspaces and click .

  2. Enter a name for the multiple logspace. Use descriptive names that help you to identify the source easily.

    NOTE: When naming your multiple logspace, consider that the name of your multiple logspace must begin with either of the following:

    • a letter of the English alphabet

    • a number

    • an underscore (_)

    • a hyphen (-)

  3. Select the Member logspaces from the list. To add a new member logspace, click and select a different logspace.

    NOTE: Consider the following:

    • You can only select logspaces that you previously configured as a local logspace / filtered logspace / remote logspace / multiple logspace.

    • You cannot add a multiple logspace to itself, only to a different multiple logspace. For example, you cannot add multiple_ls as a member of your multiple_ls multiple logspace.

    • You can add several of the same logspace types (that is, local / filtered / remote / multiple logspaces), but you cannot add the same unique logspace more than once.

  4. Under Advanced configuration, set the pool size of the concurrent remote requests for the configured multiple logspaces. The default value is 2, and the minimum configurable value is 1.

    NOTE: Consider the following:

    • Higher pool size settings may increase search speed in remote logspaces.

    • The Pool size of concurrent remote requests value is set per multiple logspace.

    • SSB only accesses remote logspaces parallelly. Parallel access is not effective for the following types of member logspaces:

      • filtered logspaces (even if the base of the filtered logspace is a remote logspace)

      • multiple logspaces

      • local logspaces

    • If more than one member remote logspace within the multiple logspace is located on the same remote SSB, then one of the following scenarios are possible:

      • The parallel or concurrent remote requests may result in performance issues on the remote SSB appliance.

      • Increasing the Pool size of concurrent remote requests value may affect search speed for remote logspaces located on the same remote host.

    • Increasing the Pool size of concurrent remote requests value will increase your network usage.

    • SSB handles each member remote logspace request per remote logspace, as a single element of the available pool. As a result, setting the Pool size of concurrent remote requests value to the same value as the number of member remote logspaces may increase your search speed, but setting it any higher will not increase your search speed further.

  5. By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.

  6. Click .

Accessing log files across the network

The log files stored on syslog-ng Store Box (SSB) can be accessed as a network share if needed using the Samba (CIFS) or Network File System (NFS) protocols. Sharing is controlled using policies that specify the type of the share and the clients (hosts) and users who can access the log files. Sharing is possible also if SSB is part of a domain.

Sharing log files in standalone mode

To share log files in standalone mode

  1. Navigate to Policies > Shares > SMB/CIFS options and select Standalone mode.

    Figure 137: Policies > Shares > SMB/CIFS options — Sharing logspaces

  2. Select to create a new share policy and enter a name for the policy.

  3. Select the type of the network share from the Type field.

    Figure 138: Policies > Shares > Share policies — Creating share policies

    • To access the log files using NFS (Network File System), select NFS.

    • To access the log files using Samba (Server Message Block protocol), select CIFS.

      NOTE: From SSB version 5.2.0, SSB only supports SMB 2.1 and later. If you are using a Windows version earlier than Windows 2008R2, make sure that it supports SMB 2.1 or later. Otherwise, the Windows machine cannot connect to the SSB share.

  4. If you are using the Samba protocol, you can control which users and hosts can access the shares. Otherwise, every user with an syslog-ng Store Box (SSB) account has access to every shared log file.

    • To control which users can access the shared files, enter the name of the usergroup who can access the files into the Allowed group field. For details on local user groups, see Managing local usergroups.

    • To limit the hosts from where the shares can be accessed, create a hostlist and select it from the Hostlist field. For details on creating hostlists, see Creating hostlist policies.

  5. Click .

  6. To display the details of the logspace, navigate to Log > Logspaces and click .

  7. Select the share policy to use from the Sharing policy field.

    Figure 139: Log > Logspaces > Policies — Setting the share policy of a logspace

  8. Click .

  9. Mount the shared logspace from your computer to access it.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating