Chat now with support

Get Live Help
Complete Registration

Sign In

Request Pricing

Contact Sales

syslog-ng Store Box 6.10.0 - Administration Guide

Table of Contents

Preface Introduction

What SSB is What SSB is not Why is SSB needed Who uses SSB

The concepts of SSB

The philosophy of SSB Collecting logs with SSB Managing incoming and outgoing messages with flow-control Receiving logs from a secure channel Advanced Log Transfer Protocol Network interfaces High Availability support in SSB Firmware in SSB

Firmware and high availability

Versions and releases of SSB Licensing model and modes of operation

Notes about counting the licensed hosts

Licensing benefits License types

Perpetual license Subscription-based license

Licensing examples The structure of a log message

BSD-syslog or legacy-syslog messages

The PRI message part The HEADER message part The MSG message part

IETF-syslog messages

The PRI message part The HEADER message part The STRUCTURED-DATA message part The MSG message part

The Welcome Wizard and the first login

The initial connection to SSB

Creating an alias IP address (Microsoft Windows) Creating an alias IP address (Linux) Modifying the IP address of SSB

Configuring SSB with the Welcome Wizard

Configuring SSB as a standalone unit, or as the primary node of a HA cluster Configuring your SSB unit as the secondary node of a HA cluster

Supported web browsers The structure of the web interface

Elements of the main workspace Multiple web users and locking Web interface and RPC API settings

Network settings

Configuring the external interface Configuring the management interface Configuring the routing table

Date and time configuration

Configuring a time (NTP) server

SNMP and e-mail alerts

Configuring e-mail alerts Configuring SNMP alerts Querying SSB status information using agents View node ID and community

Configuring system monitoring on SSB

Configuring SNMP agent settings Health monitoring Preventing disk space fill up Configuring message rate alerting System related traps Alerts related to syslog-ng

Data and configuration backups

Creating a backup policy using Rsync over SSH Creating a backup policy using SMB/CIFS Creating a backup policy using NFS Creating configuration backups Creating data backups Encrypting configuration backups with GPG

Archiving and cleanup

Creating a cleanup policy Creating an archive policy using SMB/CIFS Creating an archive policy using NFS Archiving or cleaning up the collected data

User management and access control

Managing SSB users locally

Creating local users in SSB Deleting a local user from SSB

Setting password policies for local users Managing local usergroups Managing SSB users from an LDAP database Authenticating users to a RADIUS server Authenticating users via OpenID Connect Managing user rights and usergroups

Assigning privileges to usergroups for the SSB web interface Modifying group privileges Finding specific usergroups How to use usergroups Built-in usergroups of SSB

Listing and searching configuration changes

Controlling SSB: restart, shutdown Managing a high availability SSB cluster

Adjusting the synchronization speed Asynchronous data replication Redundant heartbeat interfaces Next-hop router monitoring

Upgrade checklist Upgrading SSB Upgrading an SSB cluster Troubleshooting Updating the SSB license Monthly license host usage report Exporting the configuration of SSB Importing the configuration of SSB

Accessing the SSB console

Using the console menu of SSB Enabling SSH access to the SSB host Changing the root password of SSB

Disabling sealed mode

Out-of-band management of SSB

Configuring the IPMI interface from the console Configuring the IPMI interface from the BIOS

Managing the certificates used on SSB

Generating certificates for SSB Uploading external certificates to SSB Generating TSA certificate with Windows Certificate Authority on Windows Server 2008 Generating TSA certificate with Windows Certificate Authority on Windows Server 2012

Creating hostlist policies

Creating hostlists Importing hostlists from files

Configuring message sources

Default message sources in SSB Creating new message sources in SSB

Configuring your own, customized Syslog type message source

Configuring the Listening address and Listening port for your Syslog type message source Configuring the Transport options for your Syslog type message source Configuring the Hostname and timestamp-related settings for your Syslog type message source Configuring the Monitoring settings for your Syslog type message source Customizing encoding for your Syslog type message source

Configuring your own, customized SQL type message source

Setting up and testing the SQL database connection of your SQL type message source Customizing fetching messages when using your SQL type message source

Customizing the fetch query for your SQL type message source Customizing the fetch history settings for your SQL type message source

Configuring the fetching frequency settings for your SQL type message source Configuring the Monitoring settings for your SQL type message source

Receiving SNMP messages

Storing messages on SSB

Using logstores

Creating logstores Configuring the indexer service Viewing encrypted logs with logcat

Creating text logspaces Managing logspaces

Managing logspaces - Archive and backup logspaces Assigning the SSB logspace of your choice to a custom cloud service provider data disk

Creating filtered logspaces Creating remote logspaces Creating multiple logspaces Accessing log files across the network

Sharing log files in standalone mode Sharing log files in Domain mode Accessing shared files

Managing custom cloud service provider data disks for your logspaces in SSB

Possible use cases and scenarios for using custom cloud service provider data disks with SSB Adding a new custom cloud service provider data disk to your SSB configuration

Adding a new custom cloud service provider data disk on the cloud service provider side

Adding a new Microsoft Azure-managed disk as a custom cloud service provider data disk on the Microsoft Azure Portal side Adding an additional disk in VMware ESXi as a custom cloud service provider data disk on the vSphere Client side

Adding a new custom cloud service provider data disk to your SSB configuration on the SSB side

Data disk information for your custom cloud service provider data disks

Removing a custom cloud service provider data disk from your SSB configuration Increasing the size of a custom cloud service provider data disk that you use in your SSB configuration

Forwarding messages from SSB

Forwarding log messages to SQL databases SQL templates in SSB

The Legacy template The Full template The Custom template

Forwarding log messages to remote servers Forwarding log messages to the Microsoft Azure Sentinel cloud

Prerequisites Limitations Configuring the Azure Sentinel destination: adding a new Azure Sentinel destination

Configuring the Azure Sentinel destination: Authentication and workspace settings Configuring the Azure Sentinel destination: Advanced message parameters Configuring the Azure Sentinel destination: Performance-related settings

Forwarding log messages to Google Pub/Sub

Prerequisites Limitations Configuring the Google Pub/Sub destination: adding a new Google Pub/Sub destination

Configuring the Google Pub/Sub destination: Authentication and workspace settings Configuring the Google Pub/Sub destination: Advanced message parameters Configuring the Google Pub/Sub destination: Performance-related settings

Forwarding log messages to Splunk

Prerequisites Limitations Transport settings for the Splunk destination HTTP connection settings HTTPS connection settings JSON message body Performance-related settings

Forwarding log messages to HDFS destinations

Configuring a Kerberos policy Configuring the HDFS cluster Configuring an HDFS destination

Log paths: routing and processing messages

Default logpaths in SSB Creating new log paths Filtering messages Replace message parts or create new macros with rewrite rules Find and replace the text of the log message Parsing sudo log messages Parsing key-value pairs

Configuring syslog-ng options

General syslog-ng settings Time stamping configuration on SSB Using name resolution on SSB Setting the certificates used in TLS-encrypted log transport

Searching log messages

Using the search interface

Customizing columns of the log message search interface Metadata collected about log messages Using complex search queries

Browsing encrypted logspaces

Using persistent decryption keys Using session-only decryption keys Assigning decryption keys to a logstore

Creating custom statistics from log data

Displaying log statistics Creating reports from custom statistics

Creating content-based alerts

Setting up alerts on the search interface Setting up alerts on the Search > Content-Based Alerts page Format of alert messages

Additional tools

Searching the internal messages of SSB

Using the internal search interfaces

Filtering Exporting the results Customizing columns of the internal search interfaces

Changelogs of SSB Configuration changes of syslog-ng peers Log message alerts Notifications on archiving and backups Status history and statistics

Displaying custom syslog-ng statistics Statistics collection options

Contents of the default reports Generating partial reports Configuring custom reports

Classifying messages with pattern databases

The structure of the pattern database How pattern matching works Searching for rulesets Creating new rulesets and rules Exporting databases and rulesets Importing pattern databases Using pattern parsers Using parser results in filters and templates Using the values of pattern parsers in filters and templates

The SSB RPC API

Requirements for using the RPC API RPC client requirements Documentation of the RPC API

Monitoring SSB's disk Monitoring SSB's memory Monitoring SSB's CPU

Monitoring CPU load Monitoring CPU load averages Monitoring CPU usage

Monitoring SSB's I/O Monitoring SSB statistics Monitoring the HA cluster Monitoring hardware RAID

StorCLI's PD LIST (Physical Drive) StorCLI's Drive State StorCLI's VD LIST (Virtual Drive)

Monitoring software RAID Monitoring web server, root CA and TSA certificates

Troubleshooting SSB

Locating the SSB appliance in the server room Network troubleshooting Gathering data about system problems Viewing logs on SSB Collecting logs and system information for error reporting Troubleshooting an SSB cluster

Understanding SSB cluster statuses Recovering SSB if both nodes broke down Recovering from a split brain situation Replacing a node in an SSB HA cluster Resolving an IP conflict between cluster nodes

Restoring SSB configuration and data Configuring the IPMI interface from the BIOS after losing IPMI password Incomplete TSA response received Correct Alerting & Monitoring and Management group privilege mismatch

Security checklist for configuring SSB Glossary

Creating content-based alerts

Searching log messages > Creating content-based alerts

The syslog-ng Store Box(SSB) appliance can create content-based alerts about log messages based on specific search expressions. Search queries are run every few seconds and an alert is triggered whenever a match between the contents of a log message and a search expression is found. Alerts are collected and sent to a pre-defined email address (or email addresses).

Some log messages might have particular significance and therefore getting notifications about those can often be more efficient than searching for them manually.

You can set up or modify alerts for local logspaces or those logspaces to which you have the relevant privileges, meaning that:

Either the relevant user group has been assigned read and write/perform access to the Search > Logs object on the AAA > Access Control page.
Or the user group has been added under the Access control option of the relevant logspace on the Log > Logspaces page.

There are two ways to create alerts, using the search interface or the Search > Content-Based Alerts page:

For details on how to set up alerts on the search interface, see Setting up alerts on the search interface.
For details on how to set up alerts on the Search > Content-Based Alerts page, see Setting up alerts on the Search > Content-Based Alerts page.

NOTE: Content-based alerting is currently not available for filtered, multiple, and remote logspaces.

NOTE: In the case of encrypted logspaces, no decryption key is required for content-based alerting to work. SSB has access to the log messages while processing them, and the indexer and content-based alerting services run before encryption happens.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating

© 2024 One Identity LLC. ALL RIGHTS RESERVED. Feedback Terms of Use Privacy Cookie Preference Center