Chat now with support
Chat with Support

syslog-ng Store Box 6.0.5 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB Glossary

Configuring SSB with the Welcome Wizard

Purpose

The Welcome Wizard guides you through the basic configuration steps of SSB. All parameters can be modified before the last step by using the Back button of the wizard, or later via the web interface of SSB.

Steps

    To configure SSB with the Welcome Wizard

  1. Open the https://<IP-address-of-SSB-external-interface> page in your browser and accept the displayed certificate. The Welcome Wizard of SSB appears.

    		 TIP:

    The SSB console displays the IP address the external interface is listening on. SSB either receives an IP address automatically via DHCP, or if a DHCP server is not available, listens on the 192.168.1.1 IP address.

  2. When configuring SSB for the first time, click Next.

    Figure 4: The Welcome Wizard

    It is also possible to import an existing configuration from a backup file. Use this feature to restore a backup configuration after a recovery, or to migrate an existing SSB configuration to a new device.

    1. Click Browse and select the configuration file to import.

      		 NOTE:

      It is not possible to directly import a GPG-encrypted configuration into SSB, it has to be decrypted locally first.

    2. Enter the passphrase used when the configuration was exported into the Encryption passphrase field.

      For details on restoring configuration from a configuration backup, see Restoring SSB configuration and data.

    3. Click Import.

      		 Caution:

      If you use the Import function to copy a configuration from one SSB to another, do not forget to configure the IP addresses of the second SSB. Having two devices with identical IP addresses on the same network leads to errors.

  3. Accept the Software Transaction, License and End User License Agreements and install the SSB license.

    Figure 5: The Software Transaction, License and End User License Agreements and the license key

    1. Read the Software Transaction, License and End User License Agreements and select Accept. The License Agreement covers both the traditional license, and subscription-based licensing as well. Clicking Accept means that you accept the agreement that corresponds to the license you purchased (for details on subscription-based licensing, see License types). After the installation is complete, you can read the Software Transaction, License and End User License Agreements at Basic Settings > System > License.

    2. Click Browse, select the SSB license file received with SSB, then click Upload. Without a license file, SSB will run in demo mode.

      		 NOTE:

      It is not required to manually decompress the license file. Compressed licenses (for example .zip archives) can also be uploaded.

    3. Click Next.

  4. Fill the fields to configure networking. The meaning of each field is described below. The background of unfilled required fields is red. All parameters can later be modified using the regular interface of SSB.

    Figure 6: Initial networking configuration

    1. External interface — IP address: IP address of the external interface of SSB (for example 192.168.1.1). The IP address can be chosen from the range of the corresponding physical subnet. Clients will connect the external interface, therefore it must be accessible to them.

      If you have changed the IP address of SSB from the console before starting the Welcome Wizard, make sure that you use the same address here.

      		 NOTE:

      Do not use IP addresses that fall into the following ranges:

      • 1.2.0.0/16 (reserved for communication between SSB cluster nodes)

      • 127.0.0.0/8 (localhost IP addresses)

    2. External interface — Netmask: The IP netmask of the given range in IP format. For example, general class C networks have the 255.255.255.0 netmask.

    3. Default gateway: IP address of the default gateway. When using several network cards, the default gateway is usually in the direction of the external interface.

    4. Hostname: Name of the machine running SSB (for example SSB).

    5. Domain name: Name of the domain used on the network.

    6. DNS server: IP address of the name server used for domain name resolution.

    7. NTP server: The IP address or the hostname of the NTP server.

    8. SMTP server: The IP address or the hostname of the SMTP server used to deliver e-mails.

    9. Administrator's e-mail: E-mail address of the SSB administrator.

    10. Timezone: The timezone where the SSB is located.

      		 Caution:

      Make sure that you have selected the correct timezone. It is not recommended to change the timezone later, because logspace rotation is based on your local timezone. If you change the timezone later, you will not be able to properly search in your previously stored logs.

    11. HA address: The IP address of the high availability (HA) interface. Leave this field on auto unless specifically requested by the support team. This option is not available on virtual appliances.

    12. Click Next.

  5. Enter the passwords used to access SSB.

    Figure 7: Passwords

    		 NOTE:

    SSB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[]^-`{|}

    1. Admin password: The password of the admin user who can access the web interface of SSB.

      The default password policy on newly installed SSB appliances does not accept simple passwords for the admin and root users. As you type, SSB shows the strength of the password under the password field. Enter a password that gets at least a "good" rating.

    2. Root password: The password of the root user, required to access SSB via SSH or from the local console.

      The default password policy on newly installed SSB appliances does not accept simple passwords for the admin and root users. As you type, SSB shows the strength of the password under the password field. Enter a password that gets at least a "good" rating.

      		 NOTE:

      Accessing SSB using SSH is rarely needed, and recommended only for advanced users for troubleshooting situations.

    3. If you want to prevent users from accessing SSB remotely via SSH or changing the root password of SSB, select the Seal the box checkbox. Sealed mode can be activated later from the web interface as well. For details, see Sealed mode.

    4. Click Next.

  6. Upload or create a certificate for the SSB web interface. This SSL certificate will be displayed by SSB to authenticate administrative HTTPS connections to the web interface and RPC API.

    Figure 8: Creating a certificate for SSB

    To create a self-signed certificate, fill the fields of the Generate new self-signed certificate section and click Generate. The certificate will be self-signed by the SSB appliance, the hostname of SSB will be used as the issuer and common name.

    1. Country: Select the country where SSB is located (for example, HU-Hungary).

    2. Locality: The city where SSB is located (for example, Budapest).

    3. Organization: The company who owns SSB (for example, Example Inc.).

    4. Organization unit: The division of the company who owns SSB (for example, IT Security Department).

    5. State or Province: The state or province where SSB is located.

    6. Click Generate.

    If you want to use a certificate that is signed by an external Certificate Authority, in the Server X.509 certificate field, click to upload the certificate.

    		 NOTE:

    If you want to create a certificate with Windows Certificate Authority (CA) that works with SSB, generate a CSR (certificate signing request) on a computer running OpenSSL (for example, using the openssl req -set_serial 0 -new -newkey rsa:2048 -keyout ssbwin2k121.key -out ssbwin2k121.csr -nodes command), sign it with Windows CA, then import this certificate into SSB.

    Figure 9: Uploading a certificate for SSB

    You can choose to upload a single certificate or a certificate chain (that is, intermediate certificates and the end-entity certificate).

    After uploading a certificate or certificate chain, you can review details by clicking the name of the certificate, and looking at the information displayed in the pop-up window that comes up.

    Figure 10: Log > Options > TLS settings — X.509 certificate details

    The pop-up window allows you to:

    • Download the certificate or certificate chain.

      		 NOTE:

      Certificate chains can only be downloaded in PEM format.

    • View and copy the certificate or certificate chain.

    • Check the names and the hierarchy of certificates (if it is a certificate chain and there is more than one certificate present).

      On hovering over a certificate name, the subject of the certificate is displayed, describing the entity certified.

    • Check the validity dates of the certificate or certificates making up the chain.

      On hovering over a particular date, the exact time of validity is also displayed.

    After uploading the certificate or certificate chain, the presence or absence of the string (chain) displayed after the name of the certificate will indicate whether the certificate is a certificate chain or a single certificate.

    Then, back on the Certificate page of the Welcome Wizard, in the Server private key field, click , upload the private key, and enter the password protecting the private key.

    Figure 11: Uploading a private key

    		 NOTE:

    SSB accepts private keys in PEM (RSA and DSA), PUTTY, and SSHCOM/Tectia format. Password-protected private keys are also supported.

    One Identity recommends:

    • Using 2048-bit RSA keys (or stronger).

    • Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.

    		 NOTE:

    SSB accepts passwords that are not longer than 150 characters. The following special characters can be used: !"#$%&'()*+,-./:;<=>?@[]^-`{|}

  7. Review the data entered in the previous steps. This page also displays the certificate generated in the last step, the RSA SSH key of SSB, and information about the license file.

    Figure 12: Review configuration data

    If all information is correct, click Finish.

    		 Caution:

    The configuration takes effect immediately after clicking Finish. Incorrect network configuration data can render SSB unaccessible.

    SSB is now accessible from the regular web interface via the IP address of its external interface.

  8. Your browser is automatically redirected to the IP address set as the external interface of SSB, where you can login to the web interface of SSB using the admin username and the password you set for this user in the Welcome Wizard.

    Figure 13: Logging in to SSB

Basic settings

syslog-ng Store Box (SSB) is configured via the web interface. Configuration changes take effect automatically after clicking Commit. Only the modifications of the current page or tab are activated — each page and tab must be committed separately.

Supported web browsers

The SSB web interface can be accessed only using TLS encryption and strong cipher algorithms. The browser must support HTTPS connections, JavaScript, and cookies. Make sure that both JavaScript and cookies are enabled.

 NOTE:

SSB displays a warning message if your browser is not supported or JavaScript is disabled.

If you have successfully accessed the SSB web interface using HTTPS at least once, your browser will remember this, and on any subsequent occasions, it will force you to access SSB using HTTPS, even if you try loading it through an HTTP connection. This is thanks to the HTTP Strict Transport Security (HSTS) policy, which enables web servers to enforce web browsers to restrict communication with the server over an encrypted SSL/TLS connection for a set period. Web servers declare the HSTS policy using a special Strict-Transport-Security response header field.

This might, however, cause issues in any of the following cases:

  • When the SSL certificate of SSB's web interface has expired. In this case, any attempt to access the web interface using a secure connection will fail with an error message.

  • When you switch the trusted CA-signed certificate to a self-signed certificate for SSB's web interface. As per HSTS design, a self-signed certificate is not taken to have been issued by a trusted CA, therefore any secure connections to the SSB web interface will fail with an error message.

The resolution to the above-mentioned issues is to:

  • Remove the HSTS settings in your browser. This must be done locally, in a browser-specific way. For detailed instructions, consult the support site of the browser you are using.

    OR

  • Upload a new certificate, using a different browser on a different machine. For detailed instructions on how to upload external certificates to SSB, see "Uploading external certificates to SSB" in the Administration Guide.

Supported browsers

Mozilla Firefox 52 ESR

We also test SSB on the following, unsupported browsers. The features of SSB are available and usable on these browsers as well, but the look and feel might be different from the supported browsers. Internet Explorer 11, Microsoft Edge, and the currently available version of Mozilla Firefox and Google Chrome.

The structure of the web interface

The web interface consists of the following main sections:

Main menu: Each menu item displays its options in the main workspace on one or more tabs. Click a menu item to display the list of available tabs.

Figure 14: Structure of the web interface

User menu: Provides possibilities to change your SSB password, to log out, and disable confirmation dialogs and tooltips using the Preferences option.

Figure 15: User menu

User info: Provides information about the user currently logged in:

  • username

  • IP address of the user's computer

  • date and IP address of the user's last login

Figure 16: User info

System monitor: Displays accessibility and system health information about SSB, including the following:

Figure 17: System monitor

  • Time: System date and time.

  • Remaining time: The time remaining before the session to the web interface times out.

    		 NOTE:

    To change timeout settings, navigate to Basic Settings > Management > Web interface and RPC API settings > Session timeout and enter the timeout value in minutes.

  • Locked: Indicates that the interface is locked by another administrator (for details, see Multiple web users and locking).

  • Modules: The status of syslog-ng running on SSB (ideally it is RUNNING).

  • License: License information if the license is not valid, or an evaluation version license has expired.

  • Raid status: The status of the RAID devices, if synchronization between the disks is in progress.

  • Active:

    • Hosts: the number of clients (log source hosts) where the log messages originate from (for example computers)

    • Senders: the number of senders where the log messages directly come from (for example, relays)

    Example: Number of hosts and senders

    For example: if 300 clients all send log messages directly to SSB the Hosts and Senders are both 300.

    If the 300 clients send the messages to 3 relays (assuming that the relays do not send messages themselves) and only the relays communicate directly with SSB then Hosts is 300, while Senders is 3 (the 3 relays).

    If the relays also send messages, then Hosts is 303, while Senders is 3 (the 3 relays).

  • HA: The HA status and the ID of the active node if two SSB units are running in a High Availability cluster. If there are redundant Heartbeat interfaces configured, their status is displayed as well. If the nodes of the cluster are synchronizing data between each other, the progress and the time remaining from the synchronization process is also displayed.

  • Average system load during the

    • Load 1: last minute

    • Load 15: last fifteen minutes

  • CPU, memory, hard disk, and swap use. Hover the mouse above the graphical bars to receive a more details in a tooltip, or navigate to Basic Settings > Dashboard for detailed reports.

    		 NOTE:

    If you have installed SSB from Azure, the swap column is not available, because in this case, swap memory is not used.

The System monitor displays current information about the state of SSB. To display a history of these parameters, go to Basic Settings > Dashboard. For details, see Status history and statistics.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating