syslog-ng Store Box 5.2.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB About us Third-party contributions

Preface

Welcome to the syslog-ng Store Box 5.2.0 Administrator Guide!

This document describes how to configure and manage the syslog-ng Store Box (SSB). Background information for the technology and concepts used by the product is also discussed.

About this document

This guide is a work-in-progress document with new versions appearing periodically.

The latest version of this document can be downloaded from the syslog-ng Store Box Documentation page.

Summary of changes

Version 5.1.0 - 5.2.0
Changes in product:
  • SSB now uses syslog-ng Premium Edition version 7.0. As a result, the following features have changed:
    • The Pair separator string option has been added to Log > Parsers. You can now define a character or string that separates the key-value pairs from each other. For details, see Parsing key-value pairs.
    • The SQL source has been removed from Log > Sources. In connection with this, the ssbSqlSourceAlert alert has been removed from Basic Settings > Alerting Monitoring.
    • The SNMP destination has been removed from Log > Destinations.
    • Reliable Log Transfer Protocol (RLTP) has been renamed to Advanced Log Transfer Protocol (ALTP). For details, see Advanced Log Transfer Protocol.

    This means the following:

    • When attempting to upgrade to version 5.2, if you are using SQL source or SNMP destination in your current SSB configuration, the upgrade process will fail. To remedy this issue, delete any SQL source or SNMP destination and retry the upgrade process.
    • When attempting to import a configuration that contains SQL source or SNMP destination to a newly installed SSB, the import process will fail. To remedy this issue, start the machine that you have exported the configuration from, delete any SQL source or SNMP destination, reexport the configuration and then retry the import process.
  • On the Log > Sources page, several options have been rearranged to make configuring log sources easier. For details, see Creating syslog message sources in SSB.
  • On the Log > Sources page, the Do not parse option has been added to the Incoming log protocol and message format section. This option completely disables syslog message parsing and stores the complete log in the message part. It is useful if incoming messages do not comply with the syslog format. For details, see Creating syslog message sources in SSB.
  • Because of the change to syslog-ng Premium Edition version 7.0, the Ignore ambiguous program field option has been removed from the Log > Sources page, because syslog-ng PE now handles this both in case of IETF and BSD protocols. For details, see Creating syslog message sources in SSB.
  • From SSB version 5.2.0, SSB only supports SMB 2.1 or later. This change affects your servers and clients that you use for archive, backup and shared logspace purposes. Make sure that they support SMB 2.1 or later. Otherwise these features will not work. For details, see Creating an archive policy using SMB/CIFS, Creating a backup policy using SMB/CIFS, Sharing log files in domain mode, Sharing log files in standalone mode, Accessing shared files.
  • On the Basic Settings > Dashboard page, in the syslog-ng module, the following parameter names have changed to better represent their values:

    • destination_stored has been renamed to destination_queued.
    • source_stored has been renamed to source_queued.

    For details, see: Status history and statistics.

  • The Firmware management menu has been removed from the console menu. For details, see Using the console menu of SSB.
  • The Validity information has been removed from Search > Peer Configuration Change. For details, see Configuration changes of syslog-ng peers.
  • The Peer configuration - Invalid configuration signature element has been removed from the reports.
Version 5 LTS - 5.1.0
Changes in product:
  • It is now possible to forward log messages from SSB to Hadoop Distributed File System (HDFS) servers, allowing you to store your log data on a distributed, scalable file system. This is especially useful if you have huge amounts of log messages that would be difficult to store otherwise, or if you want to process your messages using Hadoop tools. For more information, see Forwarding log messages to HDFS destinations.
Version 4 F9 - 5 LTS
Changes in product:
  • The procedures about rewriting incoming log messages have been updated. See Replace message parts or create new macros with rewrite rules and Find and replace the text of the log message.

  • Password policies set for local SSB users now apply to the admin and root users as well. For details, see Setting password policies for local users.

  • SSB now prevents brute force attacks when logging in. For more information, see Web interface and RPC API and The SSB RPC API.

  • The following default settings have changed:

    • Indexing is now enabled by default. For more information, see Creating logstores.

    • Required trusted is now the default setting for the Peer verification field.

    • Strong is now the default setting for setting the strength of the cipher suites. Also, the Default option has been renamed to Weak. For more information, see Creating syslog message sources in SSB.

    • By default, SSB uses the aes-256-cbc cipher method and the SHA-256 digest method.

    • Password strength is now required to be at least 12 characters including lower case letters, upper case letters, numbers, and special characters.

    • The SNMP source and the SNMP v2c agent are now turned off by default.

    • All of the email and SNMP alerts are now enabled by default.

    • Flow-control is now enabled by default.

    • You can now search in indexed logspaces even if log traffic is disabled.

  • The Backup and Revert configuration items have been removed from the console menu.
Changes in documentation:

Introduction

This chapter introduces the syslog-ng Store Box (SSB), discussing how and why it is useful, and what benefits it offers to an existing IT infrastructure.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents