Chat now with support
Chat with Support

syslog-ng Store Box 7.0.4 LTS - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Using complex search queries

You can use wildcards and boolean expressions, and search specific parts of the log messages collected on syslog-ng Store Box(SSB).

NOTE: When searching log messages, the capabilities of the search engine depend on the delimiters used to index the particular logspace. By default, the indexer uses the following delimiter characters to separate the message into words (tokens): & : ~ ? ! [ ] = , ; ( ) ' ". For details on how to configure the delimiters used for indexing, see Creating logstores in the Administration Guide.

The following sections provide examples for different search queries:

Searching for exact matches and using complex queries

By default, SSB searches for keywords as whole words in the MESSAGE part of the log message and returns only exact matches.

Combining search keywords

You can use boolean operators - AND, OR, and NOT - to combine search keywords. Note that the boolean operators are case sensitive, and must be in all caps. More complex search expressions can also be constructed with parentheses.

Using wildcard searches

You can use the ? and * wildcards in your search expressions.

Searching for special characters

To search for the question mark (?), asterisk (*), backslash (\) or whitespace () characters, you must prefix these characters with a backslash (\). Any character after a backslash is handled as a character to be searched for.

NOTE: Delimiter characters are an exception to the rule. It is not possible to search for delimiter characters, even when they are prefixed.

Searching in a specific part of the message

You can search in a specific part of the message using the <type>: prefix. The message: (or msg:) prefix means the message part and can be omitted. For example, use the program: prefix to search for the name of an application, or use the host: prefix to search for a host name, and so on.

Searching the name-value pairs of the message

You can search the structured data part of log messages using the nvpair: prefix. Use the = delimiter to separate the name and the value of structured data parameters, and remove the quote marks from the values.

Search performance tips

Browsing encrypted logspaces

By default, you cannot browse encrypted logstores from the syslog-ng Store Box(SSB) web interface, because the required decryption keys are not available on SSB. To make browsing and searching encrypted logstores possible, SSB provides the following options:

NOTE: Do not use SSB's own keys and certificates for encrypting or decrypting.

One Identity recommends:

  • Using 2048-bit RSA keys (or stronger).

  • Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.

Using persistent decryption keys

You can upload decryption keys and bind them to your account. The decryption keys are stored on syslog-ng Store Box(SSB), but they are only made available for this user account, and can also be protected (encrypted) with a passphrase.

To use persistent decryption keys

  1. Select User menu > Private keystore. A pop-up window is displayed.

  2. Select Permanent > , then select Certificate > . A pop-up window is displayed.

    Figure 211: User menu > Private keystore — Adding decryption keys to the private keystore

  3. Paste or upload the certificate used to encrypt the logstore.

  4. Select Key > . A pop-up window is displayed.

  5. Paste or upload the private key of the certificate used to encrypt the logstore.

  6. Repeat Steps 2-5 to upload additional keys if needed.

  7. Select Security passphrase > Change, and enter a passphrase to protect the private keys.

    Figure 212: User menu > Private keystore — Securing the private keystore with a passphrase

  8. Click Apply.

Using session-only decryption keys

You can upload decryption keys to browse encrypted logspaces for the duration of the session only. These keys are automatically deleted when you log out from syslog-ng Store Box(SSB).

To use session-only decryption keys

  1. Select User menu > Private keystore. A pop-up window is displayed.

  2. Select Temporary > , then select Certificate > . A pop-up window is displayed.

    Figure 213: User menu > Private keystore — Adding decryption keys to the private keystore

  3. Paste or upload the certificate used to encrypt the logstore.

  4. Select Key > . A pop-up window is displayed.

  5. Paste or upload the private key of the certificate used to encrypt the logstore.

  6. Repeat Steps 2-5 to upload additional keys if needed.

  7. Click Apply.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating