The SSB firmware is separated into two parts: a boot and a core firmware.
The boot firmware boots up SSB, provides the high availability support, and starts the core firmware.
The core firmware handles everything else: provides the web interface, receives and processes log messages and so on.
When you upload a new ISO file using the SSB web interface, it updates both firmware. For details, see Upgrading SSB.
When powering on the SSB nodes in high availability mode, both nodes boot and start the boot firmware. The boot firmware then determines which unit is the master: the core firmware is started only on the master node.
Upgrading the SSB firmware via the web interface automatically upgrades the firmware on both nodes.
As of June 2011, the following release policy applies to syslog-ng Store Box:
Long Term Supported or LTS releases (for example, SSB 3 LTS) are supported for 3 years after their original publication date and for 1 year after the next LTS release is published (whichever date is later). The second digit of the revisions of such releases is 0 (for example, SSB 3.0.1). Maintenance releases to LTS releases contain only bugfixes and security updates.
Feature releases (for example, SSB 3 F1) are supported for 6 months after their original publication date and for 2 months after the succeeding Feature or LTS Release is published (whichever date is later). Feature releases contain enhancements and new features, presumably 1-3 new feature per release. Only the last feature release is supported (for example, when a new feature release comes out, the last one becomes unsupported within two months).
For a full description on stable and feature releases, open the SSB product page on the Support Portal and navigate to Product Life Cycle & Policies > Product Support Policies > Software Product Support Lifecycle Policy.
Downgrading from a feature release is not supported. If you upgrade from an LTS release (for example, 3.0) to a feature release (3.1), you have to keep upgrading with each new feature release until the next LTS version (in this case, 4.0) is published.
A Log Source Host (LSH) is any host, server, or device (including virtual machines, active or passive networking devices, syslog-ng clients and relays, and so on) that is capable of sending log messages. Log Source Hosts are identified by their IP addresses, so virtual machines and vhosts are separately counted.
The syslog-ng Store Box appliance as a central log-collecting server that receives messages through a network connection, and stores them locally, or forwards them to other destinations or external systems (for example, a SIEM or a database). The SSB appliance requires a license file, this license file determines the number of Log Source Hosts (LSHs) that can send log messages to the SSB server.
Note that the number of source hosts is important, not the number of hosts that directly sends messages to SSB: every host that send messages to the server (directly or using a relay) counts as a Log Source Host.
For technical reasons, the syslog-ng Store Box appliance itself counts as two LSHs in standalone mode, and three LSHs in high-availability (HA) mode. This is automatically adjusted when One Identity generates the license file.