Welcome to the syslog-ng Store Box 5.3.0 Administrator Guide!
This document describes how to configure and manage the syslog-ng Store Box (SSB). Background information for the technology and concepts used by the product is also discussed.
This guide is a work-in-progress document with new versions appearing periodically.
The latest version of this document can be downloaded from the syslog-ng Store Box Documentation page.
The security settings and ciphers supported when accessing the SSB web interface and RPC API have been updated. For details, see Web interface and RPC API settings.
Starting with version 5.3, SSB can be updated using a single firmware file instead of having to upload the core and boot firmware separately. Maintenance releases of the 5.3 line will already use this mechanism, and will be released as an ISO file. For details, see Upgrading SSB. Note that upgrading to SSB 5.3 still requires two separate firmware files.
Unsupported protocol: The sslv3 protocol is unsupported. Make sure that your clients support a newer protocol (at least tlsv1.0), otherwise SSB will not be able to receive log messages from them.
Unsupported ciphers: The rc4 and 3des cipher suites are unsupported. Make sure that your clients support a cipher suite that contains more secure ciphers, otherwise SSB will not be able to receive log messages from them.
Unsupported digest method: The sha-0 (sha) digest method cannot be used in logstores anymore. If you have a logstore that uses this digest method, you must configure the logstore to use a different method before upgrading to SSB 5.3. Note that SSB rotates the logstore files every midnight. After changing the digest method, you must wait for the next logrotation before upgrading to SSB 5.3. For details on changing the digest method, see "General syslog-ng settings" in the Administration Guide.
After upgrading to SSB 5.3, you will not be able to access and search the logstore files that use the sha-0 digest method.
The Special > Firmware user privilege has been removed. To upload a new firmware, the user now needs to have the Basic Settings > System privilege. Note that users who had only the Special > Firmware privilege will not be able to login to SSB after upgrading to version 5.3. For details on managing user privileges, see "User management and access control" in the Administration Guide.
Configuration changes of syslog-ng Premium Edition peers can be displayed only for peers running syslog-ng Premium Edition 3.0-6.0.x. Peers running syslog-ng Premium Edition version 7.0.x do not send such notifications. As a result, if you are forwarding the logs of an SSB node to another SSB node, such log messages will not be available. You can check the configuration changes of SSB on the AAA > Accounting page.
This means the following:
On the Basic Settings > Dashboard page, in the syslog-ng module, the following parameter names have changed to better represent their values:
For details, see: Status history and statistics.
The procedures about rewriting incoming log messages have been updated. See Replace message parts or create new macros with rewrite rules and Find and replace the text of the log message.
Password policies set for local SSB users now apply to the admin and root users as well. For details, see Setting password policies for local users.
The following default settings have changed:
Indexing is now enabled by default. For more information, see Creating logstores.
Required trusted is now the default setting for the Peer verification field.
Secure is now the default setting for setting the strength of the cipher suites. Also, the Default option has been renamed to Compatible. For more information, see Creating syslog message sources in SSB.
By default, SSB uses the aes-256-cbc cipher method and the SHA-256 digest method.
Password strength is now required to be at least 12 characters including lower case letters, upper case letters, numbers, and special characters.
The SNMP source and the SNMP v2c agent are now turned off by default.
All of the email and SNMP alerts are now enabled by default.
Flow-control is now enabled by default.
You can now search in indexed logspaces even if log traffic is disabled.
The steps describing how to recover from a split brain situation have been clarified. For more information, see Recovering from a split brain situation.
This chapter introduces the syslog-ng Store Box (SSB), discussing how and why it is useful, and what benefits it offers to an existing IT infrastructure.