Chat now with support
Chat with Support

syslog-ng Store Box 5.0.3 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB About us Third-party contributions

General syslog-ng settings

To configure the general options of the syslog-ng server running on SSB, navigate to Log > Options. The following options are available (note that options related to name resolution are discussed in Using name resolution on SSB):

Figure 126: Log > Options — Configuring syslog-ng options

  • Message size: Specifies the maximum length of incoming log messages in bytes. This option corresponds to the log-msg-size() parameter of syslog-ng. The maximum value of this parameter is 1000000 (1 MB).

  • Wait time between polls: The time to wait in milliseconds before checking if new messages have arrived to a source. This option corresponds to the time-sleep() parameter of syslog-ng.

  • Idle time before destination is closed: The time to wait in seconds before an idle destination file is closed. This option corresponds to the time-reap() parameter of syslog-ng.

  • Cipher: Select the cipher method used to encrypt the logstore. The following cipher methods are available: aes-128-cbc, aes-128-cfb, aes-128-cfb1, aes-128-cfb8, aes-128-ecb, aes-128-ofb, aes-192-cbc, aes-192-cfb, aes-192-cfb1, aes-192-cfb8, aes-192-ecb, aes-192-ofb, aes-256-cbc, aes-256-cfb, aes-256-cfb1, aes-256-cfb8, aes-256-ecb, aes-256-ofb, aes128, aes192, aes256, bf, bf-cbc, bf-cfb, bf-ecb, bf-ofb, blowfish, cast, cast-cbc, cast5-cbc, cast5-cfb, cast5-ecb, cast5-ofb, des, des-cbc, des-cfb, des-cfb1, des-cfb8, des-ecb, des-ede, des-ede-cbc, des-ede-cfb, des-ede-ofb, des-ede3, des-ede3-cbc, des-ede3-cfb, des-ede3-ofb, des-ofb, des3, desx, desx-cbc, rc2, rc2-40-cbc, rc2-64-cbc, rc2-cbc, rc2-cfb, rc2-ecb, rc2-ofb, rc4, and rc4-40.

    By default, SSB uses the aes-256-cbc method.

  • Digest: Select the digest method to use. The following digest methods are available: MD2, MD4, MD5, SHA-0 (SHA), SHA-1, RIPEMD-160, SHA-224, SHA-256, SHA-384, and SHA-512.

    By default, SSB uses the SHA-256 method.

    Caution:

    The size of the digest hash must be equal to or larger than the key size of the cipher method. For example, to use the aes-256-cbc cipher method, the digest method must be at least SHA-256.

Timestamping configuration on SSB

To configure the timestamping options of SSB, navigate to Log > Options. The following options are available:

  • Timestamp server: Select the timestamping server to use for signing encrypted logspaces. To use the built-in timestamp server of SSB, select Local.

    To use an external timestamping server, select Remote and enter the address of the server into the Server URL field in the following format:

    http://<IP address>:<port number>/

    For example:

    http://10.50.50.50:8080/

    Note that currently only plain HTTP services are supported, password-protected and HTTPS services are not supported.

    Caution:

    SSB currently supports only timestamping servers that use the Internet X.509 Public Key Infrastructure Time-Stamp Protocol (TSP) described in RFC 3161.

  • Timestamp policy OID: If the Timestamping Server has timestamping policies configured, enter the OID of the policy to use into the Timestamping policy field. SSB will include this ID in the timestamping requests sent to the TSA.

NOTE:

The timestamp requests are handled by a separate process in syslog-ng, message processing is not affected if the timestamping server is slow or cannot be accessed.

Using name resolution on SSB

SSB can resolve the hostnames of the clients and include them in the log messages. However, the performance of SSB can be severely degraded if the domain name server is unaccessible or slow. Therefore, SSB automatically caches the results of name resolution. If you experience performance problems under high load, it is recommended to disable name resolution. If you must use name resolution, consider the following:

  • If the IP addresses of the clients change only rarely, set the expiry of the DNS cache to a large value. By default, SSB caches successful DNS lookups for an hour, and failed lookups for one minute. These parameters can be adjusted under Log > Options > Options > DNS Cache expiry and Failed DNS cache expiry.

    Figure 127: Log > Options > Options > DNS Cache expiry — Configuring DNS options

  • Resolve the hostnames locally. Resolving hostnames locally enables you to display hostnames in the log files for frequently used hosts, without having to rely on a DNS server. The known IP address – hostname pairs are stored locally in a file. In the log messages, syslog-ng will replace the IP addresses of known hosts with their hostnames. To configure local name resolution, select Log > Options > Name resolving, and enter the IP Address - hostname pairs in (for example 192.168.1.1 myhost.example.com) into the Persistent hostname list field. Then navigate to Log > Sources, and set the Use DNS option of your sources to Only from persistent configuration.

    Figure 128: Log > Options > Name resolving — Configuring persistent name resolution

Setting the certificates used in TLS-encrypted log transport

Purpose:

To set a custom certificate and a CA certificate for encrypting the transfer of log messages, complete the following steps.

NOTE:

If you do not upload a certificate to encrypt the TLS-communication (that is, the TLS certificate and TLS private key options are not set), SSB uses the certificate and CA certificate set for the web interface (set under Basic Settings > Management > SSL certificates) for this purpose as well.

One Identity recommends:

  • Using 2048-bit RSA keys (or stronger).

  • Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.

Steps:
  1. In your PKI system, generate and sign a certificate for SSB, then navigate to Log > Options > TLS settings.

  2. Click the icon in the TLS certificate field to upload the certificate.

    Figure 129: Log > Options > TLS settings — Configuring TLS settings for syslog-ng

    To upload a certificate from a file, click Browse in the Upload key section, select the certificate file, and click Upload. Alternatively, you can copy/paste the certificate into the Key field of the Copy-paste key section and click Upload.

    You can choose to upload a single certificate or a certificate chain (that is, intermediate certificates and the end-entity certificate).

    After uploading a certificate or certificate chain, you can review details by clicking the name of the certificate, and looking at the information displayed in the pop-up window that comes up.

    Figure 130: Log > Options > TLS settings — X.509 certificate details

    The pop-up window allows you to:

    • Download the certificate or certificate chain.

      NOTE:

      Certificate chains can only be downloaded in PEM format.

    • View and copy the certificate or certificate chain.

    • Check the names and the hierarchy of certificates (if it is a certificate chain and there is more than one certificate present).

      On hovering over a certificate name, the subject of the certificate is displayed, describing the entity certified.

    • Check the validity dates of the certificate or certificates making up the chain.

      On hovering over a particular date, the exact time of validity is also displayed.

    After uploading the certificate or certificate chain, the presence or absence of the string (chain) displayed after the name of the certificate will indicate whether the certificate is a certificate chain or a single certificate.

  3. Click the icon in the TLS private key field and upload the private key corresponding to the certificate.

  4. To set the certificate of the Certificate Authority (CA) used to verify the identity of the peers, click in the Certificate Authorities field, then click .

    Figure 131: Log > Options > TLS settings > Certificate Authorities — Uploading certificates

    To upload a certificate from a file, click Browse in the Upload key section, select the certificate file, and click Upload.

    Alternatively, you can copy/paste the certificate into the Key field of the Copy-paste key section and click Upload.

    Repeat this step to add more CA certificates if needed.

  5. If the CA issues a Certificate Revocation List (CRL), enter its URL into the CRL URL field. SSB periodically downloads the list and refuses certificates that appear on the list.

    NOTE:

    Note that only .pem format CRLs are accepted. CRLs that are in PKCS7 format (.crl) are not accepted.

  6. If you want to accept connections only from hosts using certain certificates signed by the CA, click in the Trusted distinguished names field and enter the distinguished name (DN) of the accepted certificates into the Distinguished name field. This option corresponds to the trusted-dn() parameter of syslog-ng.

    Example: *, O=Example Inc, ST=Some-State, C=* accepts only certificates issued for the Example Inc organization in Some-State state.

  7. If you want to accept connections only from hosts using certain certificates that have specific SHA-1 fingerprints, click in the Trusted fingerprints field and enter the SHA-1 fingerprint of the accepted certificates into the SHA-1 fingerprint field. This option corresponds to the trusted-keys() parameter of syslog-ng.

    Example: 00:EF:ED:A4:CE:00:D1:14:A4:AB:43:00:EF:00:91:85:FF:89:28:8F, 0C:42:00:3E:B2:60:36:64:00:E2:83:F0:80:46:AD:00:A8:9D:00:15 adds these specific SHA-1 fingerprints: 00:EF:ED:A4:CE:00:D1:14:A4:AB:43:00:EF:00:91:85:FF:89:28:8F and 0C:42:00:3E:B2:60:36:64:00:E2:83:F0:80:46:AD:00:A8:9D:00:15.

    NOTE:

    When using the trusted-keys() and trusted-dn() parameters at the same time, note the following:

    • If the fingerprint of the peer is listed in the trusted-keys() parameter and the DN of the peer is listed in the trusted-dn() parameter, then the certificate validation is performed.

    • If either the fingerprint of the peer is not listed in the trusted-keys() parameter or the DN of the peer is not listed in the trusted-dn() parameter, then the authentication of the peer fails and the connection is closed.

Related Documents