Chat now with support
Chat with Support

syslog-ng Store Box 6.1.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB

Creating text logspaces

The following describes how to create a new logspace that stores messages in plain text files.

Caution:

Compared to binary logspaces (LogStore files), plain text logspaces have the following limitations.

  • Plain text logspaces are not indexed, and you cannot browse or search them on the SSB search interface.

  • You cannot create remote, filtered, or multiple logspaces using text logspaces.

  • You cannot access text logspaces using the SSB RPC API.

Use text logspaces only if you want to access them as a shared file from an external application. For details, see Accessing log files across the network.

You can also configure SSB to store the messages in a plain text logspace (so you can share it) and in a LogStore file at the same time, so you can access them from the SSB search interface. To accomplish this, configure a log path that has two destinations (one plain text, one LogStore), and disable the Log > Paths > Final option for the first path.

To create a new logspace that stores messages in plain text files

  1. Navigate to Log > Logspaces and click .

  2. Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily.

    Figure 99: Log > Logspaces — Creating a new text logspace

  3. Select Text file from the Type field.

  4. Select the template to use for parsing the log messages. The following templates are available:

    • Legacy corresponds to the following syslog-ng template:

      template("${DATE} ${HOST} ${MSGHDR}${MSG\n}")
    • ISO date corresponds to the following syslog-ng template:

      template("${ISODATE} ${HOST} ${MSGHDR}${MSG\n}")
    • Extended is a deprecated option. Currently it duplicates the functionality of ISO date.

    • Custom specifies a custom syslog-ng template in the appearing Template field.

      For details on using syslog-ng templates, see The syslog-ng Premium Edition 7.0 Administrator Guide.

  5. Select how to organize the log files of this logspace from the Filename template field.

    • To save every message received during a day into a single file, select All messages in one file.

    • To create a separate log file for every peer (IP address or hostname) that sends messages, select the Per host option. This option corresponds to using the ${HOST} macro of syslog-ng.

    • To create a separate log file for every application that sends messages, select the Per application option. This option corresponds to using the ${PROGRAM} macro of syslog-ng.

    • To create a separate log file for every application of every peer (IP address or hostname) that sends messages, select Per host and application option. This option corresponds to using the ${HOST}-${PROGRAM} macros of syslog-ng.

    • To specify a custom template for naming the log files, select the Custom option and enter the template into the appearing Template field.

      NOTE:

      Templates that generate an invalid path (for example, they use a filename longer than 246 characters or refer to a parent directory) will not work.

      For details on using filename templates, see The syslog-ng Premium Edition 7.0 Administrator Guide.

  6. To create automatic daily backups of the logspace to a remote server, create a backup policy and select it from the Backup policy field. For details on creating backup policies, see Data and configuration backups.

  7. To archive the logspace automatically daily, create an archiving policy and select it from the Archive/Cleanup policy field. For details on creating archiving policies, see Archiving and cleanup.

    Caution:

    Use archiving and cleanup policies to remove older logfiles from SSB, otherwise the hard disk of SSB may become full.

  8. To make the log files of this logspace available via the network, create a sharing policy and select it from the Sharing policy field. For details on creating sharing policies, see Accessing log files across the network.

  9. Set a size for the logspace in the Warning size field: SSB will send an alert if the size of this logspace exceeds the limit.

    Caution:

    Make sure that the Logspace exceeded warning size alert is enabled in Basic Settings > Alerting & Monitoring page, and that the mail and SNMP settings of the Basic Settings > Management page are correct. Otherwise, you will not receive any alert when the logspace exceeds the size limit. For details on alerting and monitoring, see also Configuring system monitoring on SSB.

  10. By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.

  11. Click Commit.

Managing logspaces

Logspaces are mostly managed automatically using backup and archiving policies, as described in Data and configuration backups and Archiving and cleanup. However, backup and archiving can be started manually as well. To display the details of a logspace, click . A number of action buttons is shown in the top row.

NOTE:

These options are not available for filtered and remote logspaces.

Figure 100: Log > Logspaces > Get current size — Managing logspaces

TIP:

The size of the logspace is displayed in the Size row of the logspace details. To refresh the data, select Get current size.

  • To start the backup process manually, click Backup.

  • To restore the log files from the backup server to SSB click Restore.

    Caution:

    Restoring the backup replaces every log file of the logspace with the files from the backup. Any log message saved into the logspace since the backup is irrevocably lost.

  • To start the archiving and the cleanup process manually, click Archive/Cleanup.

    Caution:

    If the archiving policy selected for the logspace is set to perform only cleanup, log messages older than the Retention Time are deleted and irrevocably lost. For details, see Archiving and cleanup.

  • To delete every log file in the logspace, click Empty. This option can be useful if you have to quickly free up space on SSB, or if you want to delete a logspace.

    Caution:

    This action deletes every file of the logspace. Any log message not archived or backed up is irrevocably lost.

    You can still search archived logs of the logspace.

Similar action buttons are available at the top of the Log > Logspaces page to backup, archive, or delete the contents of every logspace. These actions are performed on every logspace with their respective settings, that is, clicking Backup All creates a backup of every logspace using the backup policy settings of the individual logspace.

Creating filtered logspaces

Filtered logspaces allow you to create a smaller, filtered subset of the logs contained in an existing local, remote or multiple logspace. Assigning a user group to a filtered logspace enables fine grained access control by creating a group which sees only a subset of the logs from a logspace.

You can use the same search expressions and logic as on the Search interface to create a filtered logspace. In the following example, we have configured a filtered logspace that only contains messages from syslog-ng:

NOTE:

The filtered logspace is only a view of the base logspace. The log messages are still stored in the base logspace (if the base logspace is a remote logspace, the log messages are stored on the remote SSB). Therefore you cannot alter any configuration parameters of the logspace directly. To do this, navigate to the base logspace itself.

Figure 101: Log > Filtered Logspaces — Filtered logspaces

To create filtered logspaces

  1. Navigate to Log > Filtered Logspaces and click .

  2. Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily. Note that the name of the logspace must begin with a number or a letter.

  3. Choose which logspace to filter in Base logspace.

  4. Enter the search expression in the Filter field.

    You can create complex searches using wildcards and boolean expressions. For more information and practical examples, see Using complex search queries.

    NOTE:

    SSB only indexes the first 59 characters of every name-value pair (parameter). This has two consequences:

    • If the parameter is longer than 59 characters, an exact search might deliver multiple, imprecise results.

      Consider the following example. If the parameter is:

      .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

      SSB indexes it only as:

      .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-

      This corresponds to the first 59 characters. As a result, searching for:

      nvpair:.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

      returns all log messages that contain:

      .sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-
    • Using wildcards might lead to the omission of certain messages from the search results.

      Using the same example as above, searching for the value:

      nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-12345

      does not return any results (as the 12345 part was not indexed). Instead, you have to search for:

      nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-*

      This, as explained above, might find multiple results.

  5. By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.

  6. Click Commit.

Creating remote logspaces

SSB can access and search logspaces (including filtered logspaces) on other SSB appliances. To configure SSB to access a logspace on another (remote) SSB, set up a remote logspace.

Once configured, remote logspaces can be searched like any other logspace on SSB. You can also create filtered logspaces that are based on the remote logspace.

NOTE:

Note that you cannot alter the configuration, archive, back up, or empty the contents of the logspace on the remote SSB.

NOTE:

If the remote logspace becomes inaccessible, you will not be able to view the contents of that logspace.

Figure 102: Log > Remote Logspaces — Remote logspaces

Prerequisites:
  • You have verified that the version number of the remote SSB equals (or exceeds) the version number of the SSB where the remote logspace is created.

  • You have configured a user on the remote SSB that can access the logspace you want to reach.

  • If the logspace is encrypted, you have verified that the user has the necessary certificates.

  • You have downloaded the CA X.509 certificate of the remote SSB.

    To download the server certificate, navigate to Basic Settings > Management > SSL certificate > CA X.509 certificate, and click on the certificate.

To create remote logspaces

  1. Navigate to Log > Remote Logspaces and click .

  2. Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily. Note that the name of the logspace must begin with a number or a letter.

  3. Enter the IP address or hostname of the remote SSB in the Host field.

  4. Enter the username of the user configured for accessing the logspace on the remote SSB in the Username field.

  5. Enter the password of the same user in the Password field.

  6. Enter the name of the logspace as it appears on the remote SSB in the Remote logspace name field.

  7. In the Remote certificate authority section, click to upload the server certificate of the remote SSB. A pop-up window is displayed.

    Click Browse, select the certificate of the remote SSB, then click Upload.

  8. By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.

  9. Click Commit.

Related Documents