Chat now with support
Chat with Support

We are currently preforming website maintenance, any feature requiring sign-in is temporarily unavailable, if you have an issue requiring immediate assistance please call Technical Support.

syslog-ng Store Box 6.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Troubleshooting SSB Security checklist for configuring SSB

Creating logstores

To create logstores

  1. Navigate to Log > Logspaces and click .

  2. Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily. Note that the name of the logspace must begin with a number or a letter.

    Figure 98: Log > Logspaces — Creating a new logstore

  3. Select LogStore from the Type field.

  4. To encrypt the log files using public-key encryption, click in the Encryption certificate field.

    A pop-up window is displayed.

    Click Browse, select the certificate you want to use to encrypt the log files, then click Upload. Alternatively, you can paste the certificate into the Certificate field and click Upload.


    To view encrypted log messages, you will need the private key of this certificate. For details on browsing encrypted logstores online on the SSB web interface, see Browsing encrypted logspaces. Encrypted log files can be displayed using the logcat command-line tool as well. The logcat application is currently available only for UNIX-based systems.

    One Identity recommends:

    • Using 2048-bit RSA keys (or stronger).

    • Using the SHA-256 hash algorithm (or stronger) when creating the public key fingerprint.


    Each certificate or encryption-related setting described above only takes effect from the next day.

    However, if you use decryption private keys, you can search in the encrypted logstores immediately after the private keys are uploaded. For more information, see Assigning decryption keys to a logstore.

  5. By default, SSB requests a timestamp every ten minutes from the internal Timestamping Authority. Adjust the frequency of timestamping requests in the Timestamping frequency field if needed. For details on how to request timestamps from an external provider, see Timestamping configuration on SSB.

  6. Indexing is enabled by default. For detailed instructions on configuring indexing, see Configuring the indexer service.

  7. Logstore files are compressed by default. If you do not want to use compression, uncheck the Compressed logstore option.

  8. Select how to organize the log files of this logspace from the Filename template field.

    • To save every message received during a day into a single file, select All messages in one file.

    • To create a separate log file for every peer (IP address or hostname) that sends messages, select the Per host option. This option corresponds to using the ${HOST} macro of syslog-ng.

    • To create a separate log file for every application that sends messages, select the Per application option. This option corresponds to using the ${PROGRAM} macro of syslog-ng.

    • To create a separate log file for every application of every peer (IP address or hostname) that sends messages, select Per host and application option. This option corresponds to using the ${HOST}-${PROGRAM} macros of syslog-ng.

    • To specify a custom template for naming the log files, select the Custom option and enter the template into the appearing Template field.


      Templates that generate an invalid path (for example, they use a filename longer than 246 characters or refer to a parent directory) will not work.

      For details on using filename templates, see The syslog-ng Premium Edition 7.0 Administrator Guide.

  9. To create automatic daily backups of the logspace to a remote server, create a backup policy and select it from the Backup policy field. For details on creating backup policies, see Data and configuration backups.

  10. To archive the logspace automatically daily, create an archiving policy and select it from the Archive/Cleanup policy field. For details on creating archiving policies, see Archiving and cleanup.


    Use archiving and cleanup policies to remove older logfiles from SSB, otherwise the hard disk of SSB may become full.

  11. To make the log files of this logspace available via the network, create a sharing policy and select it from the Sharing policy field. For details on creating sharing policies, see Accessing log files across the network.

  12. Set a size for the logspace in the Warning size field: SSB will send an alert if the size of this logspace exceeds the limit.


    Make sure that the Logspace exceeded warning size alert is enabled in Basic Settings > Alerting & Monitoring page, and that the mail and SNMP settings of the Basic Settings > Management page are correct. Otherwise, you will not receive any alert when the logspace exceeds the size limit. For details on alerting and monitoring, see also Configuring system monitoring on SSB.

  13. By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.

  14. Click Commit.

Related Documents