Chat now with support
Chat with Support

syslog-ng Store Box 6.0.3 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB Glossary


Welcome to the syslog-ng Store Box 6.0.3 Administration Guide!

This document describes how to configure and manage the syslog-ng Store Box (SSB). Background information for the technology and concepts used by the product is also discussed.

About this document

This guide is a work-in-progress document with new versions appearing periodically.

The latest version of this document can be downloaded from the syslog-ng Store Box Documentation page.

Summary of changes

Version 6.0.1 - 6.0.2
Changes in product
  • syslog-ng Store Box (SSB ) version 6.0.2 is a new, stable long term supported version of syslog-ng.


    syslog-ng Store Box (SSB) version 6.0.2 is supported on the following hardware:

    • syslog-ng Store Box (SSB) Appliance 3000

    • syslog-ng Store Box (SSB) Appliance 3500

    • syslog-ng Store Box (SSB) T1

    • syslog-ng Store Box (SSB) T4

    • syslog-ng Store Box (SSB) T10

    For further information, see the hardware specifications in the Installation Guide.

Version 6.0 - 6.0.1
Changes in product
  • SSB automatically resets the license host counter every midnight.

Version 5.3.0 - 6.0.0
Changes in product
  • When using SNMP to monitor SSB, information about SSB is available using the public community by default. If you are using a high-availability SSB cluster, then each node provides information about its own status using a specific community, for example, 00:56:56:6f:00:8F. This community is displayed on the Basic Settings > Management > SNMP trap settings page, and is the Node ID of the node (also displayed in the Basic Settings > High Availability > This node > Node ID field when using SSB in High Availability mode).

Version 5.2.0 - 5.3.0
Changes in product
  • The security settings and ciphers supported when accessing the SSB web interface and RPC API have been updated. For details, see Web interface and RPC API settings.

  • Starting with version 5.3, SSB can be updated using a single firmware file instead of having to upload the core and boot firmware separately. Maintenance releases of the 5.3 line will already use this mechanism, and will be released as an ISO file. For details, see Upgrading SSB. Note that upgrading to SSB 5.3 still requires two separate firmware files.

  • Unsupported protocol: The sslv3 protocol is unsupported. Make sure that your clients support a newer protocol (at least tlsv1.0), otherwise SSB will not be able to receive log messages from them.

  • Unsupported ciphers: The rc4 and 3des cipher suites are unsupported. Make sure that your clients support a cipher suite that contains more secure ciphers, otherwise SSB will not be able to receive log messages from them.

  • Unsupported digest method: The sha-0 (sha) digest method cannot be used in logstores anymore. If you have a logstore that uses this digest method, you must configure the logstore to use a different method before upgrading to SSB 5.3. Note that SSB rotates the logstore files every midnight. After changing the digest method, you must wait for the next logrotation before upgrading to SSB 5.3. For details on changing the digest method, see "General syslog-ng settings" in the Administration Guide.


    After upgrading to SSB 5.3, you will not be able to access and search the logstore files that use the sha-0 digest method.

  • The Special > Firmware user privilege has been removed. To upload a new firmware, the user now needs to have the Basic Settings > System privilege. Note that users who had only the Special > Firmware privilege will not be able to login to SSB after upgrading to version 5.3. For details on managing user privileges, see "User management and access control" in the Administration Guide.

  • Configuration changes of syslog-ng Premium Edition peers can be displayed only for peers running syslog-ng Premium Edition 3.0-6.0.x. Peers running syslog-ng Premium Edition version 7.0.x do not send such notifications. As a result, if you are forwarding the logs of an SSB node to another SSB node, such log messages will not be available. You can check the configuration changes of SSB on the AAA > Accounting page.

Version 5.1.0 - 5.2.0
Changes in product
  • SSB now uses syslog-ng Premium Edition version 7.0. As a result, the following features have changed:
    • The Pair separator string option has been added to Log > Parsers. You can now define a character or string that separates the key-value pairs from each other. For details, see Parsing key-value pairs.
    • The SQL source has been removed from Log > Sources. In connection with this, the ssbSqlSourceAlert alert has been removed from Basic Settings > Alerting Monitoring.
    • The SNMP destination has been removed from Log > Destinations.
    • Reliable Log Transfer Protocol (RLTP) has been renamed to Advanced Log Transfer Protocol (ALTP). For details, see Advanced Log Transfer Protocol.

    This means the following:

    • When attempting to upgrade to version 5.2, if you are using SQL source or SNMP destination in your current SSB configuration, the upgrade process will fail. To remedy this issue, delete any SQL source or SNMP destination and retry the upgrade process.
    • When attempting to import a configuration that contains SQL source or SNMP destination to a newly installed SSB, the import process will fail. To remedy this issue, start the machine that you have exported the configuration from, delete any SQL source or SNMP destination, reexport the configuration and then retry the import process.
  • On the Log > Sources page, several options have been rearranged to make configuring log sources easier. For details, see Creating syslog message sources in SSB.
  • On the Log > Sources page, the Do not parse option has been added to the Incoming log protocol and message format section. This option completely disables syslog message parsing and stores the complete log in the message part. It is useful if incoming messages do not comply with the syslog format. For details, see Creating syslog message sources in SSB.
  • Because of the change to syslog-ng Premium Edition version 7.0, the Ignore ambiguous program field option has been removed from the Log > Sources page, because syslog-ng PE now handles this both in case of IETF and BSD protocols. For details, see Creating syslog message sources in SSB.
  • From SSB version 5.2.0, SSB only supports SMB 2.1 or later. This change affects your servers and clients that you use for archive, backup and shared logspace purposes. Make sure that they support SMB 2.1 or later. Otherwise these features will not work. For details, see Creating an archive policy using SMB/CIFS, Creating a backup policy using SMB/CIFS, Sharing log files in domain mode, Sharing log files in standalone mode, Accessing shared files.
  • On the Basic Settings > Dashboard page, in the syslog-ng module, the following parameter names have changed to better represent their values:

    • destination_stored has been renamed to destination_queued.
    • source_stored has been renamed to source_queued.

    For details, see: Status history and statistics.

  • The Firmware management menu has been removed from the console menu. For details, see Using the console menu of SSB.
  • The Validity information has been removed from Search > Peer Configuration Change. For details, see Configuration changes of syslog-ng peers.
  • The Peer configuration - Invalid configuration signature element has been removed from the reports.
Version 5 LTS - 5.1.0
Changes in product
  • It is now possible to forward log messages from SSB to Hadoop Distributed File System (HDFS) servers, allowing you to store your log data on a distributed, scalable file system. This is especially useful if you have huge amounts of log messages that would be difficult to store otherwise, or if you want to process your messages using Hadoop tools. For more information, see Forwarding log messages to HDFS destinations.


This section introduces the syslog-ng Store Box (SSB), discussing how and why it is useful, and what benefits it offers to an existing IT infrastructure.

Self Service Tools
Knowledge Base
Notifications & Alerts
Product Support
Software Downloads
Technical Documentation
User Forums
Video Tutorials
RSS Feed
Contact Us
Licensing Assistance
Technical Support
View All
Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating