syslog-ng Store Box 5.3.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB About us Third-party contributions

Using session-only decryption keys

You can upload decryption keys to browse encrypted logspaces for the duration of the session only. These keys are automatically deleted when you log out from SSB.

To use session-only decryption keys

  1. Select User menu > Private keystore. A pop-up window is displayed.

  2. Select Temporary > , then select Certificate > . A pop-up window is displayed.

    Figure 141: User menu > Private keystore — Adding decryption keys to the private keystore

  3. Paste or upload the certificate used to encrypt the logstore.

  4. Select Key > . A pop-up window is displayed.

  5. Paste or upload the private key of the certificate used to encrypt the logstore.

  6. Repeat Steps 2-5 to upload additional keys if needed.

  7. Click Apply.

Assigning decryption keys to a logstore

You can add a private key (or set of keys) to a logstore, and use these keys to decrypt the logstore files. This way, anyone who has the right to search a particular logspace can search the messages. These decryption keys are stored unencrypted in the SSB configuration file.

As this may raise security concerns, avoid this solution unless absolutely necessary.

To assign decryption keys to a logstore

  1. Navigate to Log > Logspaces and select the encrypted logspace you want to make searchable for every user via the SSB web interface.

  2. Select Decryption private keys > . A pop-up window is displayed.

    Figure 142: Log > Logspaces — Adding decryption keys to a logstore

  3. Paste or upload the private key of the certificate used to encrypt the logstore.

  4. Repeat Steps 2-3 to upload additional keys if needed.

    An additional key is needed when the certificate used to encrypt a logstore expires. When this happens, you have to upload a new certificate. However, to be able to read the logstore encrypted with the old (expired) certificate(s), you need to keep the old encryption key(s) with the new one.

  5. Click Commit.

Creating custom statistics from log data

SSB can create statistics from the Facility, Priority, Program, Pid, Host, Tags, and .classifier.class columns. Use Customize columns to add the required column, if necessary.

NOTE:

The .classifier.class data is the class assigned to the message when pattern database is used. For details, see "Classifying messages with pattern databases" in the Administration Guide. The pattern databases provided by One Identity currently use the following message classes by default: system, security, violation, or unknown.

You can display statistics on the web interface, export the related data as CSV, and also save the statistics to include in a report.

Displaying log statistics

To display statistics about the log messages, click the icon in the appropriate header of the table.

You can choose from Bar chart or Pie chart & List.

NOTE:

For performance reasons, when creating statistics for a Multiple Logspace (see "Creating multiple logspaces" in the Administration Guide), SSB does not create statistics if the data upon which the statistics is based (for example, the hostname) has over 1000 entries in any of the member logspaces. In this case, SSB displays the Number of member statistics has too many entries error message.

Figure 143: Search > Logspaces — Displaying log statistics as Bar chart

In Pie chart & List view, percentages add up to 100%. The only exception to this is when statistics are based on Tags. Since statistics are provided for tags rather than messages, when messages have multiple tags, the percentages may add up to more than 100%.

Figure 144: Search > Logspaces — Displaying log statistics as Pie chart & List

Statistics will show the item with the largest number of entries first. To display the item with the least number of entries first, select Least.

NOTE:

When navigating to the "future" in the search bar, it is possible that the number of logs displayed in the Search results differs from the number of logs displayed in the Count part of the Host pie chart.

To avoid this, do not navigate to the "future".

If this has already happened, save the search expression that you have used somewhere, and then refresh the page by clicking Log > Search again. Note that it will display the original state of the Search page, meaning that for example it will remove all search expressions that you have entered before.

You can export these statistics in CSV format using the Export all to CSV option, or you can include them in reports as a subchapter.

Caution:

Do not use Export all to CSV to export large amounts of data, as exporting data can be very slow, especially if the system is under heavy load. If you regularly need a large portion of your data in plain text format, consider using the SSB RPC API (for details, see "The SSB RPC API" in the Administration Guide), or sharing the log files on the network and processing them with external tools (for details, see "Accessing log files across the network" in the Administration Guide).

Related Documents