Chat now with support
Chat with Support

syslog-ng Store Box 6.10.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Configuring the Azure Sentinel destination: adding a new Azure Sentinel destination

This section describes the first steps of configuring the Azure Sentinel destination of syslog-ng Store Box (SSB), that is, adding the new Azure Sentinel destination on the SSB web interface.

For information about configuring the authentication and workspace settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Authentication and workspace settings.

For information about configuring the advanced message parameters of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Advanced message parameters.

For information about configuring the performance-related settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Performance-related settings.

NOTE: This section and the other Azure Sentinel-related sections in this documentation are based on Azure Sentinel messaging service concepts and terminology. If you do not use the Azure Sentinel messaging service on a regular basis, One Identity recommends that you read the Azure Sentinel quick-start documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

To create your custom Azure Sentinel destination on the SSB web interface

  1. Navigate to Log > Destinations, and select to create a new destination.

    Figure 173: Log > Destinations > <your-sentinel-destination> — Adding a new Sentinel destination

  2. Under Destination type, select Sentinel destination.

  3. After creating your Azure Sentinel destination, continue customizing it by configuring the following:

Configuring the Azure Sentinel destination: Authentication and workspace settings

This section describes configuring the authentication and workspace settings after Configuring the Azure Sentinel destination: adding a new Azure Sentinel destination.

For information about configuring the advanced message parameters of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Advanced message parameters.

For information about configuring the performance-related settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Performance-related settings.

NOTE: This section and the other Azure Sentinel-related sections in this documentation are based on Azure Sentinel messaging service concepts and terminology. If you do not use the Azure Sentinel messaging service on a regular basis, One Identity recommends that you read the Azure Sentinel quick-start documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

To configure the authentication and workspace settings of your Azure Sentinel destination

  1. Navigate to Log > Destination > <your-sentinel-destination> > Authentication and workspace settings.

    Figure 174: Log > Destinations > <your-sentinel-destination> — Configuring the authentication and workspace settings

  2. In the Workspace id field, copy the WORKSPACE ID from your Azure Sentinel side.

    NOTE: The workspace ID is a unique hexadecimal number provided by Microsoft, with the purpose of identifying your Sentinel instance.

  3. In the Auth secret field, copy the PRIMARY KEY from your Azure Sentinel side.

    NOTE: The primary key is a Base64-encoded secret provided by Microsoft, with the purpose of identifying your application.

  4. In the Domain field, set the Azure domain of the workspace. For example: ods.opinsights.azure.com for Azure Public, or ods.opinsights.azure.us for Azure Government. For more information, see the related Microsoft documentation.

  5. (Optional) Enable Use proxy, and in the Proxy field, enter the HTTP proxy address that you want to use.

    NOTE: If you have to use a proxy, consider that only HTTP proxies are supported.

Configuring the Azure Sentinel destination: Advanced message parameters

This section describes configuring the advanced message parameters of the Azure Sentinel destination after configuring the authentication and workspace settings.

For information about adding a new Azure Sentinel destination, see Configuring the Azure Sentinel destination: adding a new Azure Sentinel destination.

For information about configuring the performance-related settings of your Azure Sentinel destination, see Configuring the Azure Sentinel destination: Performance-related settings.

NOTE: This section and the other Azure Sentinel-related sections in this documentation are based on Azure Sentinel messaging service concepts and terminology. If you do not use the Azure Sentinel messaging service on a regular basis, One Identity recommends that you read the Azure Sentinel quick-start documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

To configure the advanced message parameters of your Azure Sentinel destination

  1. Navigate to Log > Destination > <your-sentinel-destination> > Advanced message parameters.

    Figure 175: Log > Destinations > <your-sentinel-destination> — Configuring the advanced message parameters

  2. To customize the message format sent to Azure Sentinel, specify the name-value pairs of the outgoing message in JSON format in the Body field.

    CAUTION: Hazard of data loss!

    Make sure that the customized message format is accepted by Azure Sentinel. For invalid messages, SSB will receive an HTTP 400 response code and messages with such a response code will be dropped.

    For more information on dropping messages with HTTP 400 response code, see Limitations.

    For more information on the $(format-json) template function, see Manipulating messages > Customizing message format using macros and templates > Template functions of syslog-ng PE in the syslog-ng PE Administration Guide.

  3. In the Log type field, enter Syslog_CL.

    NOTE: For more information about log types on the Azure Sentinel side, and how they connect to the functionalities of the syslog-ng Premium Edition (syslog-ng PE) application (and, as a result, to SSB), see Log types in the syslog-ng PE Administration Guide.

Configuring the Azure Sentinel destination: Performance-related settings

This section describes configuring the performance-related settings of the Azure Sentinel destination after configuring the authentication and workspace settings and the advanced message parameters.

For more information about adding a new Azure Sentinel destination, see Configuring the Azure Sentinel destination: adding a new Azure Sentinel destination.

NOTE: This section and the other Azure Sentinel-related sections in this documentation are based on Azure Sentinel messaging service concepts and terminology. If you do not use the Azure Sentinel messaging service on a regular basis, One Identity recommends that you read the Azure Sentinel quick-start documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

To configure the performance-related settings of your Azure Sentinel destination

  1. Navigate to Log > Destination > <your-sentinel-destination> > Performance-related settings.

    Figure 176: Log > Destinations > <your-sentinel-destination> — Configuring the performance-related settings

  2. In the Number of workers field, set the number of worker threads that you want SSB to use when sending messages to the server.

    CAUTION: Hazard of data loss!

    When you use more than one worker threads together with disk-buffering enabled, consider that the syslog-ng PE application behind SSB creates a separate disk-buffer file for each worker thread. This means that decreasing the number of workers can result in losing data currently stored in the disk-buffer files.

    To avoid data loss, One Identity recommends that you do not decrease the number of workers when the disk-buffer files are in use.

    NOTE: Increasing the number of worker threads can drastically improve the performance of the destination.

  3. In the Timeout field, specify the timeout (in seconds) that you want SSB to wait for an operation to complete, and attempt to reconnect to the server if the configured timeout limit is exceeded.

    The default value of the Timeout setting is 0, which means that it is disabled by default.

  4. In the Batch lines field, specify how many lines you want SSB to flush to a destination in one batch.

    NOTE: SSB waits for the configured number of lines to accumulate, and when this number is reached, SSB sends the message lines to the destination in a single batch. For example, if you set Batch lines to 100, SSB waits for 100 message lines before sending them in one batch.

    NOTE: Consider the following when configuring the number of batch lines:

    • Increasing the number of batch lines increases throughput (because more messages are sent in a single batch), but also increases message latency.

    • If the Batch-timeout option is disabled, the syslog-ng PE application behind SSB flushes the messages if it has sent the number of messages specified in Batch lines, or the queue became empty. If you stop or reload the syslog-ng PE application behind SSB, or if in case of network sources, the connection with the client is closed, the syslog-ng PE behind SSB automatically sends the unsent messages to the destination.

    • If the Batch-timeout option is enabled and the queue becomes empty, SSB flushes the messages only if Batch timeout expires, or if the batch reaches the limit set in Batch lines.

    NOTE: Depending on your source configuration settings, your batch may not reach the Batch lines limit before your queue becomes empty, and SSB forwards your messages.

  5. In the Batch-bytes field, set the maximum size of payload in a batch (in bytes).

    NOTE: When configuring Batch-bytes, consider the following:

    • If the size of the messages reaches this value, the syslog-ng PE application behind SSB sends the batch to Azure Sentinel even if the number of messages is less than the value you configure in the Batch-bytes field.

    • If Batch-timeout is enabled and the queue becomes empty, SSB flushes the messages only if the value specified in Batch-timeout expires, or if the message batch reaches the limit set in the Batch-bytes field.

  6. (Optional) Select Batch-timeout, and in the Batch-timeout value field, specify the time SSB waits for Batch lines to accumulate in the output buffer.

    SSB sends batches to the destinations evenly. The timer starts when the first message arrives to the buffer, so if only few messages arrive, SSB sends messages to the destination once every Batch timeout milliseconds at most.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating