Chat now with support
Chat with Support

syslog-ng Store Box 5.0.4 - Release Notes

syslog-ng Store Box 5.0

syslog-ng Store Box 5.0

Release Notes

May 2019

These release notes provide information about the syslog-ng Store Box release.

Topics:

About this release

Welcome to syslog-ng Store Box. This document describes what is new in the latest version of syslog-ng Store Box (SSB).

Upgrade to the new release

This is a Long Term Supported or LTS release, which means that it will be supported for 3 years after the original publication date and for 1 year after the succeeding LTS Release is published (whichever date is later). It also means that if you are running a previous feature release, you have 2 months to upgrade to the latest LTS version if you want to keep running on a supported release.

For a full description on stable and feature releases, open the SSB product page on the Support Portal and navigate to Product Life Cycle & Policies > Product Support Policies > Software Product Support Lifecycle Policy.

Who should upgrade

We recommend you to upgrade to SSB 5 LTS, if you are not running SSB on Pyramid hardware and any of the following is true:

  • You wish to take advantage of any of the new features.

  • You are running a previous feature release.

Caution:

Pyramid hardware is not supported

SSB 5 LTS is not supported on the following hardware: SSB N1000, SSB N1000d, SSB N5000, SSB N10000.

In case you have SSB deployed on other, newer hardware or you have SSB 4 LTS, those will not be affected in any way. The version policy applies to those. For details, open the SSB product page on the Support Portal and navigate to Product Life Cycle & Policies > Product Support Policies > Software Product Support Lifecycle Policy.

If you wish to take advantage of new features and remain supported beyond the end date of the Extended Support phase, you need to upgrade your hardware. For assistance with your hardware upgrade, contact our Sales Team. For further inquiries, contact our Support Team.

If you do not know the type of your hardware or when it was purchased, complete the following steps:

  1. Login to SSB.

  2. Navigate to Basic Settings > Troubleshooting > System debug, click Collect and save current system state info, and save the file.

  3. Open a ticket at https://support.oneidentity.com/create-service-request.

  4. Attach the file you downloaded from SSB in Step 1.

  5. We will check the type of your hardware and notify you.

How to upgrade

For step-by-step instructions on upgrading to 5 LTS, see Upgrade Guide at the syslog-ng Store Box Documentation page.

New features

Renewed user interface

The user interface has received a facelift and now has a more modern look-and-feel.

Figure 1: Search > Logspaces — The log message search interface

Find and replace in the text of the log message

You can now perform search and replace operations on the incoming log messages. For details, see "Find and replace the text of the log message" in the Administration Guide.

Browser support

The following browsers are supported. Other browsers or older versions of these browsers are not supported.

Supported browsers:

Mozilla Firefox 52 ESR

We also test SSB on the following, unsupported browsers. The features of SSB are available and usable on these browsers as well, but the look and feel might be different from the supported browsers. Internet Explorer 11, Microsoft Edge, and the currently available version of Mozilla Firefox and Google Chrome.

Password policies

Password policies set for local SSB users now apply to the admin and root users as well. For details, see "Setting password policies for local users" in the Administration Guide.

The default password policy on newly installed SSB appliances does not accept simple passwords for the admin and root users. As you type, SSB shows the strength of the password under the password field. Enter a password that gets at least a "good" rating.

High availability licenses

SSB now strictly checks if you have a High Availability license when running SSB in High Availability mode. You cannot upgrade to 5 LTS or later when using a single-node license in a HA environment. After upgrading to 5 LTS or later, an SSB node can be converted to HA only if a valid HA license is installed. You can check your license at support portal.

To buy a valid HA license, contact your sales representative or contact our Sales Team.

On virtual SSB appliances, or if you have bought a physical SSB appliance without the high availability license option, the Basic Settings > High Availability menu item is not displayed anymore.

Other changes
  • The default value of the Log > Sources > Maximum connections options has been increased to 10000.

Virtualization

Deploying SSB on Microsoft Azure

You can now deploy SSB on Microsoft Azure using a bring-your-own license model.

Running SSB in Microsoft Azure brings you the obvious benefits of running an application in the cloud. The most notable of these is the ability to adapt to the capacity needs of your application. Azure Linux Virtual Machines provides on-demand, high-scale, secure, virtualized infrastructure. Microsoft Azure offers a range of SKU types suitable for different use cases, allowing you to pick various details of your instance(s) (for example, memory, CPU, storage).

For step-by-step instructions, see Deploying on Azure

Deploying SSB on Amazon Web Services

You can now deploy SSB on Amazon Web Services (AWS) using a bring-your-own license.

Running SSB in AWS brings you the obvious benefits of running an application in the cloud. The most notable of these is the ability to dynamically adapt to the changing capacity needs of your application. AWS offers a range of instance types suitable for different use cases, allowing you to pick various details of your instance(s) (for example, memory, CPU, storage). Launching instances happens within a matter of minutes, and you only pay for what you use.

For details, see Deploying on Amazon Web Services.

New virtual appliance

The SSB Virtual Appliance is now officially supported on Microsoft Hyper-V. For details, see "syslog-ng Store Box Hyper-V Installation Guide" in the Installation Guide.

Increasing the virtual disk size of SSB under a virtual machine

Increasing the virtual disk size of SSB under a virtual machine is now much easier. You only have to power down the virtual machine, increase the disk size, and start the machine again.

For step-by-step instructions on the procedure, see "Increasing the virtual disk size of SSB under a virtual machine" in the Installation Guide.

Change in the use of the management interface in virtual environments

When deploying SSB in a virtual environment, it is sufficient to use only a single network interface. When only one network interface is defined, however, that interface will be the one used for management purposes.

Logspaces and multiple nodes

Remote logspaces

SSB can access and search logspaces (including filtered logspaces) on other SSB appliances. To configure SSB to access a logspace on another (remote) SSB, set up a remote logspace. Once configured, remote logspaces can be searched like any other logspace on SSB. You can also create filtered logspaces that are based on the remote logspace.

For details on creating remote logspaces, see "Creating remote logspaces" in the Administration Guide.

Filtered logspaces

Filtered logspaces allow you to create a smaller, filtered subset of the logs contained in an existing local or remote logspace. Assigning a user group to a filtered logspace enables fine grained access control by creating a group which sees only a subset of the logs from a logspace. You can use the same search expressions and logic as on the Search interface to create a filtered logspace.

For details on creating filtered logspaces, see "Creating filtered logspaces" in the Administration Guide.

Multiple logspaces

If you have several SSBs located at different sites, you can view and search the logs of these machines from the same web interface without having to log on to several different interfaces.

Creating multiple logspaces can also be useful if you want to pre-filter log messages based on different aspects and then share these filtered logs only with certain user groups.

The multiple logspace aggregates the messages that arrive from the member logspaces. The new log messages are listed below each other every second.

Once configured, multiple logspaces can be searched like any other logspace on SSB. You can also create filtered logspaces that are based on the multiple logspace.

For details on creating remote logspaces, see "Creating multiple logspaces" in the Administration Guide.

Search and indexer improvements

Search interface improvements
  • Option to show full log message in the list of search results added to Search > Logspaces > Customize columns.

  • You can add now dynamic columns to the list of log messages directly from the detailed view of a log message.

  • You can also view statistics directly from the detailed view of a log message.

  • Logspace view properties are now saved for each logspace (on client side).

  • Usability improvements.

  • The Link and CSV buttons have been moved to a new area, an action bar under the overview section with the calendar bars.

  • The new action bar features an Alert button, which allows the creation of content-based alerts. For more information on such alerts, see Content-based alerting.

  • When any user action results in an error condition, the action bar displays an error or warning notification.

    For further details, see "Using the search interface" in the Administration Guide.

Indexer improvements
  • The number of indexed logs in a logspace can now exceed 4294967296 (2^32) per day.

  • Vastly improved the shortest timeframe for searching and creating statistics: you can now search with one second precision (earlier, it was one minute).

  • The string 'NOT' can now be used as the first keyword in search expressions.

  • The indexer service of SSB now has increased performance and requires less memory than in earlier releases.

Message handling, parsing, alerting

Reliable Log Transfer Protocol

The SSB application can receive log messages in a reliable way over the TCP transport layer using the Reliable Log Transfer Protocol (RLTP). RLTP is a proprietary transport protocol that prevents message loss during connection breaks. The transport is used between syslog-ng Premium Edition hosts and SSB (for example, a client and SSB, or a client-relay-SSB), and interoperates with the flow-control and reliable disk-buffer mechanisms of syslog-ng Premium Edition, thus providing the best way to prevent message loss. The sender detects which messages has the receiver successfully received. If messages are lost during the transfer, the sender resends the missing messages, starting from the last successfully received message. Therefore, messages are not duplicated at the receiving end in case of a connection break (however, in failover mode this is not completely ensured). RLTP also allows to receive encrypted connections.

For details on configuring SSB to receive messages using RLTP, see "Creating syslog message sources in SSB" in the Administration Guide.

Parsing key-value pairs

SSB can separate a message consisting of whitespace or comma-separated key-value pairs (for example, firewall logs, Postfix log messages) into name-value pairs. You can specify the separator character to parse different log messages, for example, colon (:) to parse MySQL log messages, or the equal sign (=) for firewall logs. For details, see "Parsing key-value pairs" in the Administration Guide.

Parsing sudo log messages

SSB separates sudo log messages into name-value pairs. The sudo parser enables you to enrich your log message data with details of privilege escalation events, such as who initiated the event, what command was issued, and so on. Metadata generated from the parsed values is searchable and can be used in statistics and custom reports.

For further information, see "Parsing sudo log messages" in the Administration Guide.

Content-based alerting

SSB can create content-based alerts about log messages based on specific search expressions. Search queries are run every few seconds and an alert is triggered whenever a match between the contents of a log message and a search expression is found. Alerts are collected and sent to a pre-defined email address (or email addresses).

Some log messages might have particular significance for users and therefore getting notifications about those can often be more efficient than searching for them manually.

For more detailed information about content-based alerting, see "Creating content-based alerts" in the Administration Guide.

Acessing SSB

Certificate chain support for web user interface and RPC API

SSB now supports certificate chains, that is, web server certificates that contain intermediate certificates in addition to the end-user subscriber or server certificate. Previously, at the start of an SSL or TLS session, SSB only presented the server certificate to the client machine. From version 5 LTS onwards, you can choose to upload a certificate chain, and SSB will send the client machine both the server certificate and any additional intermediate certificates.

For details, see "Configuring SSB with the Welcome Wizard" in the Administration Guide, "Uploading external certificates to SSB" in the Administration Guide, and "Setting the certificates used in TLS-encrypted log transport" in the Administration Guide.

HTTP Strict Transport Security (HSTS) support when switching to a self-signed certificate or when CA-signed certificate expires for SSB's web interface

If you have successfully accessed the SSB web interface using HTTPS at least once, your browser will remember this and force you to access SSB using HTTPS. This can cause issues when you switch to a self-signed certificate from a trusted CA-signed certificate, or when the SSL certificate of the web interface expires.

The resolution to this issue is to remove HSTS settings from the browser or to upload a new certificate using a different browser on a different machine.

For further information, see "Supported web browsers" in the Administration Guide.

Hardware and operating system

10Gbit interface support

SSB now supports a 10Gbit network interface to receive log messages. You can use the 10Gbit interface instead of, or together with the regular 1Gbit external (LAN 1) interface. That way, you can use SSB without any additional changes even if your network devices support only 10Gbit, and you must connect SSB to a 10Gbit-only network.

For details, see "Network interfaces" in the Administration Guide.

Operating system upgrade

In this release, we have upgraded the operating system underlying the SSB appliance. The upgrade brings you a more recent and thus, more secure version of the operating system, with longer support lifetime.

Pyramid hardware is not supported

SSB 5 LTS is not supported on the following hardware: SSB N1000, SSB N1000d, SSB N5000, SSB N10000.

In case you have SSB deployed on other, newer hardware or you have SSB 4 LTS, those will not be affected in any way. The version policy applies to those. For details, open the SSB product page on the Support Portal and navigate to Product Life Cycle & Policies > Product Support Policies > Software Product Support Lifecycle Policy.

If you wish to take advantage of new features and remain supported beyond the end date of the Extended Support phase, you need to upgrade your hardware. For assistance with your hardware upgrade, contact our Sales Team. For further inquiries, contact our Support Team.

Security-related changes

Changes in SNMP v3 trap settings

The MD5 authentication method and the DES encryption method are no longer available as SNMP trap settings, when configuring SSB to:

  • Send alerts to a central monitoring server via SNMP v3.

  • Forward log messages to an SNMP destination using the SNMP v3 protocol.

Support for these has been removed due to concerns over the level of security provided by such methods.

For details, see "Configuring SNMP alerts" in the Administration Guide, and "Forwarding log messages to SNMP destinations" in the Administration Guide.

Note that when upgrading your SSB to version 4 F8, your SNMP trap MD5 (authentication method) settings will be automatically set to SHA1, while your SNMP trap DES (encryption method) settings will be automatically set to AES. For more information, see "Prerequisites and Notes" in the Upgrade Guide.

Note that these automatic changes may require you to reset the relevant configuration options at your end, following an upgrade to SSB 4 F8 or later.

SHA-256 replaces MD5 when creating key fingerprints

When calculating the fingerprint of private keys, the SHA-256 algorithm replaces the previously used MD5 hash function. The web user interface of SSB now displays the used hash function next to the fingerprint of a key. Look at the following example:

Monitoring SSB

Changes in the prevention of disk space fill-up

The default value and the possible values you can set at Basic Settings > Management > Disk space fill up prevention > Disconnect clients when disks are have changed.

The default value has changed from 0 to 90, meaning that disk space fill-up prevention is now turned on by default.

Another change concerns the value 100. Starting from version 4 F8, you are only allowed to set values between 1-99. This means that if you had 100 specified before the upgrade, then that will change to 99 following the upgrade.

For more information, see "Prerequisites and Notes" in the Upgrade Guide.

Changes in SNMP high disk utilization trap

The SNMP trap that is related to maximum disk utilization has changed. For details on how the changes might affect you, see "Prerequisites and Notes" in the Upgrade Guide.

General improvements and changes

  • The Log > Sources > Do not parse messages option has been renamed to Do not parse.

  • SSB now uses a bind user to query information from LDAP.

  • In SSB version 4 F5 and later, you cannot manually change the speed of network interfaces.

  • The Anonymous login option has been removed from SMB/CIFS Archive and Backup policies. To continue to use anonymous login, enter anonymous as username, and leave the Password field empty. (If you had the Anonymous login option enabled, this change is automatic.)

New guides

To improve how information is organized in the documentation set and make it easier for users to find information relevant to their roles, two new guides have been added, a user guide and an installation guide. The contents of both guides have previously been included in the syslog-ng Store Box Administration Guide.

For further details on the user guide, see User Guide.

For more information on the installation guide, see Installation Guide.

Resolved issues

The following is a list of issues addressed in this release.

Table 1: Resolved issues in version 5.0.4
Resolved Issue Issue ID

Security package updates

apt

avahi

bind9

cups

curl

file

libgd2

linux

lxml

mysql-5.7

nss

openjdk-8

openssh

openssl

perl

php7.0

python3.5

samba

systemd

tiff

wget

SSB-2943

syslog-ng crashes during configuration reload when using SQL sources

When using SQL sources, the syslog-ng application could crash during configuration reload when reverting to the old configuration. This has been corrected.

SSB-2919

The indexer process crashes when accessing the archive share

Under special circumstances, the indexer process could crash during shutdown when accessing data on the archive share. This has been corrected.

SSB-2918

Memory leak when using several Oracle SQL sources

Syslog-ng could leak memory if several Oracle SQL sources were configured. This has been corrected.

SSB-2907

syslog-ng crashes when using MSSQL source

On machines under high load, syslog-ng could crash when using MSSQL log sources. This has been corrected.

SSB-2862

SQL-related crash due to an invalid pointer

In some cases, the SQL library used by syslog-ng SQL sources and destinations crashed with a similar error message:

Error in `/opt/syslog-ng/sbin/syslog-ng': munmap_chunk(): invalid pointer: 0x00007fa27a78fe30

This has been corrected by upgrading the SQL library to a newer version.

SSB-2859

Fatal error in the logs during archiving

In some cases, archiving log messages to the remote server failed with the following log message:

ssb/archive[25701]: PHP Fatal error: Call to undefined function closeArchiveHandle() in /opt/ssb/lib/ModuleArchive.php on line 102}}

This has been corrected.

SSB-2681

Report generation stuck

In some cases, generating a report reached a memory limit, which prevented SSB from generating new reports. When this happened, the following error message appeared in the logs:

ssb/reporting[19371]: PHP Fatal error: Allowed memory size of 201326592 bytes exhausted (tried to allocate 57100040 bytes) in /usr/share/php/Mail/mimePart.php on line 511

This has been corrected, now the maximum number of pages in a chapter is limited to 1000.

SSB-2675
Table 2: Resolved issues in version 5.0.3
Resolved Issue Issue ID

Memory consumption issues in syslog-ng

The automatic sizing of syslog-ng output buffers has been improved, resulting in a decreased memory consumption in certain cases.

SSB-2777

Handling of corrupt logstore indexes

When reading certain corrupted index files, syslog-ng entered an infinite loop. These invalid records are now skipped.

SSB-2763

Reloading syslog-ng could trigger a crash

A regression in SSB 5.0.2 could cause a syslog-ng crash when it was reloaded by SSB. This has been fixed.

SSB-2768

When resources are exhausted, syslog-ng crashes

If certain SSB resource limits were reached, syslog-ng crashed. This has been fixed.

SSB-2767

Searching logs is not possible

In certain cases the indexer process of a logspace could crash, making indexing and search functionality unavailble. This has been fixed.

SSB-2748
Table 3: Resolved security issues in version 5.0.3
Resolved Issue Issue ID

Security package updates

bind9

cups

curl

glib2.0

gnupg

libgcrypt20

libgd2

libmspack

libxml2

linux

mysql-5.7

net-snmp

ntp

openjdk-8

openssh

openssl

perl

php7.0

postgresql-9.5

pyopenssl

python-crypto

python2.7

python3.5

samba

systemd

SSB-2815
Table 4: General resolved issues
Resolved Issue Issue ID

Lockup of various system services

Due to a possible deadlock in the statistics processing engine when dealing with large amounts of syslog-ng statistics, various components of the system (report generation, message rate alerting) could lock up. This has been fixed.

SSB-2717

Configuration import from system backup fails

When importing a configuration saved by the system backup, SSB gave an "Invalid configuration backup version" error message, and the import failed. Now such configuration files can be successfully imported.

SSB-2677

Reboot countdown cannot be interrupted in case of a failed upgrade

When an upgrade step fails during boot, a rollback to the previous version is triggered and a reboot counter starts, which can be interrupted by a console login. Such a login might be necessary to examine the cause of the failed upgrade.

A regression caused the stopping of the counter not to happen, and the system to reboot even when a user logged in on the console. This has been fixed.

SSB-2673

Hostnames from persistent hostname list are used even when DNS is off

Even with the "Use DNS" property of a source set to "No", addresses in the persistent hostname list were being resolved, effectively turning this setting into "Only from persistent configuration". This has been fixed.

SSB-2667

Reboot loop after a forced system restart

Applications could leave behind certain lock files when forcefully terminated. In rare cases, this could trigger a continuous reboot loop of the system after a restart. This has been fixed.

SSB-2657

Reduced set of response headers over HTTP: various HTTP security headers missing on port 80

SSB uses HTTPS for its user interface, with connection attempts over HTTP being redirected. The response headers needed to secure the application were being sent only over port 443 (HTTPS), since there is no meaningful communication over port 80 (HTTP), only the initial redirection.

However, some security scanners reported these headers to be missing on port 80. Now these headers are sent both over HTTP and HTTPS.

SSB-2649

Timestamping Authority (TSA) Distinguished Name (DN) not set by built-in timestamping server

SSB, by default, uses its own built-in Timestamping Authority (TSA) to timestamp logstores. The TSA server did not set the Distinguished Name (DN) field of the timestamp, which caused a problem when manually verifying logstores. Now the DN field is correctly filled out.

SSB-2631

Spurious alert when a user with expired password logs in

The password change page triggered an xcbError type alert by the System Monitor when the user had their password expired. This has been fixed.

SSB-2575

Curly braces not allowed in custom filter

The input validation of the custom filter field did not allow curly braces to be used, although they might be necessary to enter certain expressions. This has been fixed.

SSB-2488

Spurious alert when committing without a configuration change

When committing the configuration on the UI, an xcbConfigChange alert was sent out (if the alert type has been enabled), even if no change has been made to the configuration. Now such alerts are only sent when an actual change has been made.

SSB-2378
Table 5: Resolved security issues
Resolved Issue Issue ID

Security package updates

SSB-2736
Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents