Chat now with support
Chat with Support

syslog-ng Store Box 6.1.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB

Subscription-based license

For virtual appliances, you can buy a subscription-based license that is valid for a fixed period of twelve (12) or thirty-six (36) months. The subscription-based license automatically includes product support and access to the latest software versions. For details, see the Software Transaction, License and End User License Agreements.

Note that One Identity offers subscription-based licensing only in certain geographic regions and only for limited virtual appliance license options. For details, contact One Identity.

Licensing examples

Example: A simple example

Scenario:

  • You want to deploy an SSB appliance as a log server.
  • 45 servers with syslog-ng PE installed in client mode send logs to the SSB log server.
  • 45 networks devices without syslog-ng PE installed send logs to the SSB log server.

License requirements: You need a syslog-ng Store Box license for at least 100 Log Source Host (LSH) as there are 90 LSHs (45+45=90) in this scenario.

Example: High Availability (HA) cluster

Scenario:

  • You want to install syslog-ng PE in server mode on two hosts that run as an active-passive high-availability cluster.
  • 45 servers with syslog-ng PE installed in client mode send logs to the syslog-ng PE log server.
  • 45 networks devices without syslog-ng PE installed send logs to the syslog-ng PE log server.

License requirements: You need a syslog-ng Store Box license for at least 100 Log Source Host (LSH) as there are 90 LSHs (45+45=90) in this scenario. You also need a High Availability (HA) license for the passive log server.

Example: Using alternative log servers with syslog-ng PE clients

Scenario:

  • You want to deploy an SSB appliance as a log server.
  • 45 servers with syslog-ng PE installed in client mode send logs to the SSB log server.
  • 45 networks devices without syslog-ng PE installed send logs to the SSB log server.
  • 100 servers with syslog-ng PE installed send log messages to a log server without syslog-ng PE installed.

License requirements: You need a syslog-ng Store Box license for at least 200 LSHs as there are 190 LSHs (45+45 that send logs to a syslog-ng PE log server, and another 100 that run syslog-ng PE, 45+45+100=190) in this scenario.

Example: Using syslog-ng PE relays

Scenario:

  • You want to deploy an SSB appliance as a log server.
  • 45 servers with syslog-ng PE installed in client mode send logs directly to the SSB log server.
  • 5 servers with syslog-ng PE installed in relay mode send logs to the SSB log server.
  • Every syslog-ng PE relay receives logs from 9 networks devices without syslog-ng PE installed (a total of 45 devices).
  • 100 servers with syslog-ng PE installed send log messages to a log server without syslog-ng PE installed.

License requirements: You need a syslog-ng Store Box license for at least 200 LSH as there are 195 LSHs (45+5+(5*9)+100=195) in this scenario.

Example: Multiple facilities

You have two facilities (for example, data centers or server farms). Facility 1 has 75 AIX servers and 20 Microsoft Windows hosts, Facility 2 has 5 HP-UX servers and 40 Debian servers. That is 140 hosts altogether.

NOTE:

If, for example, the 40 Debian servers at Facility 2 are each running 3 virtual hosts, then the total number of hosts at Facility 2 is 125, and the license sizes in the following examples should be calculated accordingly.

  • Scenario: The log messages are collected to a single, central SSB log server.

    License requirements: You need a syslog-ng Store Box license for 150 LSH as there are 140 LSHs (75+20+5+40) in this scenario.

  • Scenario: Each facility has its own SSB log server, and there is no central log server.

    License requirements: You need two separate licenses: a license for at least 95 LSHs (75+20) at Facility 1, and a license for at least 45 LSHs (5+40) at Facility 2. You need a license for 100 LSHs at Facility 1, and a license for 50 LSHs at Facility 2.

  • Scenario: The log messages are collected to a single, central SSB log server. Facility 1 and 2 each have a syslog-ng PE relay that forwards the log messages to the central SSB log server.

    License requirements: You need a syslog-ng Store Box license for 150 LSH as there are 142 LSHs (1+75+20+1+5+40) in this scenario (since the relays are also counted as an LSH).

  • Scenario: Each facility has its own local SSB log server, and there is also a central SSB log server that collects every log message independently from the two local log servers.

    License requirements: You need three separate licenses. A syslog-ng Store Box a license for at least 95 LSHs (75+20) at Facility 1, a license for at least 45 LSHs (5+40) at Facility 2, and also a license for at least 142 LSHs for the central syslog-ng Store Box log server (assuming that you want to collect the internal logs of the local log servers as well).

The structure of a log message

The following sections describe the structure of log messages. Currently there are two standard syslog message formats:

BSD-syslog or legacy-syslog messages

This section describes the format of a syslog message, according to the legacy-syslog or BSD-syslog protocol (see RFC 3164). A syslog message consists of the following parts:

The total message must be shorter than 1024 bytes.

The following example is a sample syslog message:

<133>Feb 25 14:09:07 webserver syslogd: restart

The message corresponds to the following format:

<priority>timestamp hostname application: message

The different parts of the message are explained in the following sections.

NOTE:

The syslog-ng application supports longer messages as well. For details, see the Message size option. However, it is not recommended to enable messages larger than the packet size when using UDP destinations.

Related Documents