Chat now with support
Chat with Support

syslog-ng Store Box 5.0.3 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB About us Third-party contributions

Creating filtered logspaces

Purpose:

Filtered logspaces allow you to create a smaller, filtered subset of the logs contained in an existing local, remote or multiple logspace. Assigning a user group to a filtered logspace enables fine grained access control by creating a group which sees only a subset of the logs from a logspace.

You can use the same search expressions and logic as on the Search interface to create a filtered logspace. In the following example, we have configured a filtered logspace that only contains messages from syslog-ng:

NOTE:

The filtered logspace is only a view of the base logspace. The log messages are still stored in the base logspace (if the base logspace is a remote logspace, the log messages are stored on the remote SSB). Therefore you cannot alter any configuration parameters of the logspace directly. To do this, navigate to the base logspace itself.

Figure 105: Log > Filtered Logspaces — Filtered logspaces

Steps:
  1. Navigate to Log > Filtered Logspaces and click .

  2. Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily. Note that the name of the logspace must begin with a number or a letter.

  3. Choose which logspace to filter in Base logspace.

  4. Enter the search expression in the Filter field.

    You can create complex searches using wildcards and boolean expressions. For more information and practical examples, see Using complex search queries.

    NOTE:

    SSB only indexes the first 59 characters of every name-value pair (parameter). This has two consequences:

    • If the parameter is longer than 59 characters, an exact search might deliver multiple, imprecise results.

      Consider the following example. If the parameter is:

      .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

      SSB indexes it only as:

      .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-

      This corresponds to the first 59 characters. As a result, searching for:

      nvpair:.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

      returns all log messages that contain:

      .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-
    • Using wildcards might lead to the omission of certain messages from the search results.

      Using the same example as above, searching for the value:

      nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-12345

      does not return any results (as the 12345 part was not indexed). Instead, you have to search for:

      nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-*

      This, as explained above, might find multiple results.

  5. By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.

  6. Click Commit.

Creating remote logspaces

Purpose:

SSB can access and search logspaces (including filtered logspaces) on other SSB appliances. To configure SSB to access a logspace on another (remote) SSB, set up a remote logspace.

Once configured, remote logspaces can be searched like any other logspace on SSB. You can also create filtered logspaces that are based on the remote logspace.

NOTE:

Note that you cannot alter the configuration, archive, back up, or empty the contents of the logspace on the remote SSB.

NOTE:

If the remote logspace becomes inaccessible, you will not be able to view the contents of that logspace.

Figure 106: Log > Remote Logspaces — Remote logspaces

Prerequisites:
  • You have verified that the version number of the remote SSB equals (or exceeds) the version number of the SSB where the remote logspace is created.

  • You have configured a user on the remote SSB that can access the logspace you want to reach.

  • If the logspace is encrypted, you have verified that the user has the necessary certificates.

  • You have downloaded the CA X.509 certificate of the remote SSB.

    To download the server certificate, navigate to Basic Settings > Management > SSL certificate > CA X.509 certificate, and click on the certificate.

Steps:
  1. Navigate to Log > Remote Logspaces and click .

  2. Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily. Note that the name of the logspace must begin with a number or a letter.

  3. Enter the IP address or hostname of the remote SSB in the Host field.

  4. Enter the username of the user configured for accessing the logspace on the remote SSB in the Username field.

  5. Enter the password of the same user in the Password field.

  6. Enter the name of the logspace as it appears on the remote SSB in the Remote logspace name field.

  7. In the Remote certificate authority section, click to upload the server certificate of the remote SSB. A pop-up window is displayed.

    Click Browse, select the certificate of the remote SSB, then click Upload.

  8. By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.

  9. Click Commit.

Creating multiple logspaces

Purpose:

If you have several SSBs located at different sites, you can view and search the logs of these machines from the same web interface without having to log on to several different interfaces.

Creating multiple logspaces can also be useful if you want to pre-filter log messages based on different aspects and then share these filtered logs only with certain user groups.

The multiple logspace aggregates the messages that arrive from the member logspaces. The new log messages are listed below each other every second.

Once configured, multiple logspaces can be searched like any other logspace on SSB. You can also create filtered logspaces that are based on the multiple logspace.

NOTE:

The multiple logspace is only a view of the member logspaces. The log messages are still stored in the member logspaces (if the member logspace is a remote logspace, the log messages are stored on the remote SSB). Therefore you cannot alter any configuration parameters of the logspace directly. To do this, navigate to the member logspace itself.

NOTE:

If a remote member logspace becomes inaccessible, you will not be able to view the contents of that logspace.

NOTE:

Using multiple logspaces can decrease the performance of the appliance. If possible, manage your logspaces without using multiple logspaces (for example instead of including several filtered logspaces into a multiple logspace, use several search expressions in a filtered logspace).

Figure 107: Log > Multiple Logspaces — Multiple logspaces

Steps:
  1. Navigate to Log > Multiple Logspaces and click .

  2. Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily. Note that the name of the logspace must begin with a number or a letter.

  3. Select the Member Logspaces from the list. To add a new member logspace, click and select another logspace. Note that you can only select member logspaces that already exist.

  4. By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.

  5. Click Commit.

Accessing log files across the network

The log files stored on SSB can be accessed as a network share if needed using the Samba (CIFS) or Network File System (NFS) protocols. Sharing is controlled using policies that specify the type of the share and the clients (hosts) and users who can access the log files. Sharing is possible also if SSB is part of a domain.

Related Documents