Chat now with support
Chat with Support

syslog-ng Store Box 5.0.3 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB About us Third-party contributions

Searching for rulesets

To display the rules of a ruleset, enter the name of the ruleset into the Search > Ruleset name field, and click Show. If you do not know the name of the ruleset, type the beginning letter(s) of the name, and the names of the matching rulesets will be displayed. If you are looking for a specific rule, enter a search term into the Program or Message field and select Search. The rulesets that contain matching rules will be displayed.

NOTE:

Rulesets containing large number of rules may not display correctly.

Figure 164: Log > Pattern Database > Search > Ruleset name — Searching rules

Creating new rulesets and rules

Purpose:

To create a new ruleset and new rules, complete the following steps:

Steps:
  1. Select Log > Pattern Database > Create new ruleset.

    TIP:

    If you search for a ruleset that does not exist, SSB offers you to create a new ruleset with the name you were searching for.

  2. Enter a name for the ruleset into the Name field.

    Figure 165: Log > Pattern Database > Create new ruleset — Creating pattern database rulesets

  3. Enter the name of the application or a pattern that matches the applications into the Program pattern field. For details, see Using pattern parsers.

  4. Optionally, add a description to the ruleset.

  5. Add rules to the class.

    1. Click in the Rules section.

    2. Enter the beginning of the log message or a pattern that matches the log message into the Pattern field. For details, see Using pattern parsers. Note that only messages sent by applications matching the Program pattern will be affected by this pattern.

    3. Select the type of the message from the Class field. This class will be assigned to messages matching the pattern of this rule. The following classes are available: Violation, Security, and System.

      If alerting is enabled at Log > Options > Alerting, SSB automatically sends an alert if a message is classified as Violation.

    4. Optionally, you can add a description, custom tags, and name-value pairs to the rule. Note that the values of name-value pairs can contain macros in the ${macroname} format. For details on pattern databases and macros, see The syslog-ng Premium Edition Administrator Guide.

  6. Repeat the previous step to add more rules.

  7. Click Commit.

Exporting databases and rulesets

To export the entire pattern database, navigate to Log > Pattern Database and select Export.

To export a ruleset, enter the name of the ruleset into the Search > Ruleset name field, click Show, and select Export ruleset. If you do not know the name of the ruleset, enter a search term into the Program or Message field and select Search. The rulesets that contain matching rules will be displayed.

Importing pattern databases

You can upload official databases distributed by One Identity or pattern databases that you have exported from SSB. To import a ruleset, navigate to Log > Pattern Database and select Browse. Then locate the database file to upload, and click Upload.

NOTE:

Imported rules are effective immediately after the upload is finished.

If you have modified a rule that was originally part of an official database, then the update will not modify this rule.

Related Documents