Chat now with support
Chat with Support

syslog-ng Store Box 6.1.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB

Receiving logs from a secure channel

The syslog-ng Store Box receives log messages securely over the network using the Transport Layer Security (TLS) protocol (TLS is an encryption protocol over the TCP/IP network protocol).

TLS uses certificates to authenticate and encrypt communication, as illustrated in the following figure:

Figure 3: Certificate-based authentication

The client sending the logs authenticates SSB by requesting its certificate and public key. Optionally, SSB can also request a certificate from the client, thus mutual authentication is also possible.

In order to use TLS encryption in syslog-ng, the following elements are required:

  • A certificate on SSB that identifies SSB. This is available by default.

  • The certificate of the Certificate Authority that issued the certificate of SSB must be available on the syslog-ng client.

When using mutual authentication to verify the identity of the clients, the following elements are required:

  • A certificate must be available on the syslog-ng client. This certificate identifies the syslog-ng client.

  • The certificate of the Certificate Authority that issued the certificate of the syslog-ng client must be available on SSB.

Mutual authentication ensures that SSB accepts log messages only from authorized clients.

For details on configuring TLS communication in syslog-ng, see Configuring message sources.

Advanced Log Transfer Protocol

The SSB application can receive log messages in a reliable way over the TCP transport layer using the Advanced Log Transfer Protocol (ALTP). ALTP is a proprietary transport protocol that prevents message loss during connection breaks. The transport protocol is used between syslog-ng Premium Edition hosts and SSB (for example, a client and SSB, or a client-relay-SSB), and interoperates with the flow-control and reliable disk-buffer mechanisms of syslog-ng Premium Edition, thus providing the best way to prevent message loss.

The sender detects which messages the receiver has successfully received. If messages are lost during the transfer, the sender resends the missing messages, starting from the last successfully received message. Therefore, messages are not duplicated at the receiving end in case of a connection break (however, in failover mode this is not completely ensured). ALTP also allows for connections to be encrypted.

Network interfaces

The SSB hardware has five network interfaces: the external, the management, the internal (currently not used in SSB), the HA, and the IPMI interface. For details on hardware installation, see "syslog-ng Store Box Hardware Installation Guide" in the Installation Guide.

External interface

The external interface is used for communication between SSB and the clients: clients send the syslog messages to the external interface of SSB. Also, the initial configuration of SSB is always performed using the external interface (for details on the initial configuration, see Configuring SSB with the Welcome Wizard). The external interface is used for management purposes if the management interface is not configured. The external interface uses the Ethernet connector labeled as 1 (or EXT).

Using a 10Gbit interface as external interface

The SSB T-10 appliance is equipped with a dual-port 10Gbit interface. You can use the 10Gbit interface instead of the regular 1Gbit external (LAN 1) interface. That way, you can use SSB without any additional changes even if your network devices support only 10Gbit, and you must connect SSB to a 10Gbit-only network. This interface has SFP+ connectors (not RJ-45) labeled A and B, and can be found right of the Label 1 and 2 Ethernet interfaces.


For a list of compatible connectors, see Linux* Base Driver for 10 Gigabit Intel® Ethernet Network Connection Overview. Note that SFP transceivers encoded for non-Intel hosts may be incompatible with the Intel 82599EB host chipset found in SSB.


Do not leave any unused SFP/SFP+ transceiver in the 10Gbit interface. It may cause network outage.


Hazard of data loss One Identity recommends using a single interface (either 1, or A) and leaving the B interface unused.

If SSB detects a link on multiple interfaces, SSB will not switch to a different interface as long as the link is detected on the currently active interface, not even in case of packet loss or other network issues.

To ensure that your configuration is future-proof and to avoid having to reconfigure your appliance in the future, it is not recommended to use the B interface. In future releases of SSB, the B interface will be used exclusively in one particular type of scenario.

Management interface

The management interface is used exclusively for communication between SSB and the auditors or the administrators of SSB. Incoming connections are accepted only to access the SSB web interface, other connections targeting this interface are rejected. The management interface uses the Ethernet connector labeled as 2 (or MGMT).

The routing rules determine which interface is used for transferring remote backups and syslog messages of SSB.


It is recommended to direct backups, syslog and SNMP messages, and email alerts to the management interface. For details, see Configuring the routing table.

If the management interface is not configured, the external interface takes the role of the management interface.


When deploying SSB in a virtual environment, it is sufficient to use only a single network interface. When only one network interface is defined, that interface will be the one used for management purposes, enabling access to SSB's web interface and the RPC API.

High availability interface

The high availability interface (HA) is an interface reserved for communication between the nodes of SSB clusters. The HA interface uses the Ethernet connector labeled as 4 (or HA). For details on high availability, see High Availability support in SSB.

IPMI interface

The Intelligent Platform Management Interface (IPMI) interface allows system administrators to monitor system health and to manage SSB events remotely. IPMI operates independently of the operating system of SSB.

High Availability support in SSB

High availability clusters can stretch across long distances, such as nodes across buildings, cities or even continents. The goal of HA clusters is to support enterprise business continuity by providing location-independent load balancing and failover.

In high availability (HA) mode, two SSB units (called master and slave nodes) with identical configuration are operating simultaneously. The master shares all data with the slave node, and if the master node stops functioning, the other one becomes immediately active, so the servers are continuously accessible.

You can find more information on managing a high availability SSB cluster in Managing a high availability SSB cluster.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating