This section describes how to forward messages from syslog-ng Store Box(SSB) to a remote server.
To forward messages from SSB to a remote server
Navigate to Log > Destinations and select to create a new remote destination.
Select Remote host.
Figure 119: Log > Destinations — Creating server destinations
Enter the IP address or hostname of the remote server into the Address field. Enter the port where the server is accepting syslog messages into the Port field.
Note that the Address and Port pair must be unique for each remote destination.
Select the network protocol used to transfer the log messages from the Transport field. The UDP, TCP, and the encrypted TLS protocols are available. The UDP and TLS protocols have additional parameters.
When forwarding messages using UDP, the remote host will see the messages as if they originated from SSB. Select the Spoof source address option to make them seem to originate from their original sender.
When using the Spoof source address option, SSB automatically truncates long messages to 1024 bytes, regardless of the Log > Options > Message size setting.
For TLS, select a method to verify the identity of the remote host. The following options are available:
None: Do not request a certificate from the remote host, and accept any certificate if the host sends one.
Optional trusted: If the remote host sends a certificate, SSB checks if it is valid (not expired) and that the Common Name of the certificate contains the domain name or the IP address of the host. If these checks fail, SSB rejects the connection. However, SSB accepts the connection if the host does not send a certificate.
Optional untrusted: Accept any certificate shown by the remote host. Note that the host must show a certificate.
Required trusted (default setting): Verify the certificate of the remote host. Only valid certificates signed by a trusted certificate authority are accepted. See Uploading external certificates to SSB for details on importing CA certificates. Note that the Common Name of the certificate must contain the domain name or the IP address of the host.
Required untrusted: SSB requests a certificate from the remote host, and rejects the connection if no certificate is received. However, SSB accepts the connection if:
the certificate is not valid (expired), or
the Common Name of the certificate does not contain the domain name or the IP address of the host.
Consult the documentation of the remote server application to determine which protocols are supported.
UDP is a highly unreliable protocol and a high amount of messages may be lost without notice during the transfer. Use TCP or TLS instead whenever possible.
Select the syslog protocol to use from the Syslog protocol field.
To use the legacy BSD-syslog protocol described in RFC 3164, select Legacy and specify the message template to use. Select Legacy to use the message format described in the RFC, or ISO date to replace the original timestamp with an ISO8061 compliant timestamp that includes year and timezone information. To customize the format of the message contents using macros, select Custom message part only, or Custom on-wire message to completely reformat the message (including the headers). For details on using macros, see The syslog-ng Premium Edition 7.0.14 Administrator Guide. If you have no special requirements, use the ISO date template.
Use the new IETF-syslog protocol. Note that most syslog applications and devices currently support only the legacy protocol. Consult the documentation of the remote server application to determine which protocols are supported. If you need, you can customize the contents of the message using macros. Note that for the IETF-syslog protocol, the header cannot be customized. For details on using macros, see The syslog-ng Premium Edition 7.0.14 Administrator Guide.
If SSB would send several messages with identical content to the destination, it can send only a single message and a line Last message repeated n times.. Enter the number of seconds to wait for identical messages into the Suppress timeout field. This option corresponds to the suppress() parameter of syslog-ng.
To limit the maximum number of messages sent to the destination per second, enter the maximum number of messages into the Message throttle field. Use this output-rate-limiting functionality only when using disk-buffer as well to avoid the risk of losing messages. Specifying 0 or a lower value sets the output limit to unlimited. This option corresponds to the throttle() parameter of syslog-ng.
The timestamps of most log messages is accurate only to the second. The syslog-ng Store Box(SSB) application can include more accurate timestamps: set how many digits should be included in the Timestamp fractions of a second field. This option corresponds to the frac_digits() parameter of syslog-ng.
If the server and SSB are located in a different timezone and you use the Legacy message template (which does not include timezone information), select the timezone of the server from the Timezone field.
Set the size of the disk buffer (in Megabytes) in the Output disk buffer field. If the remote server becomes unavailable, SSB will buffer messages to the hard disk, and continue sending the messages when the remote server becomes available. This option corresponds to the log_disk_fifo_size() parameter of syslog-ng.
Note that SSB does not pre-allocate the hard disk required for the disk buffer, so make sure that the required disk space is available on SSB. For details on creating archiving policies and adjusting the disk-fillup prevention, see Archiving and cleanup and Preventing disk space fill up.
The size of the disk buffer you need depends on the rate of the incoming messages, the size of the messages, and the length of the network outage that you want to cover. For example:
SSB is receiving 15000 messages per second
On the average, one message is 250 bytes long
You estimate that the longest time the destination will be unavailable is 4 hours
In this case, you need a disk buffer for 250 [bytes] * 15000 [messages per second] * 4*60*60 [seconds] = 54000000000 [bytes], which is 54000 Megabytes (in other words, a bit over 50 GB).
To start sending messages to the destination, include the new destination in a logpath. For details, see Log paths: routing and processing messages.
You can forward log messages from syslog-ng Store Box(SSB) to Hadoop Distributed File System (HDFS) servers, allowing you to store your log data on a distributed, scalable file system. This is especially useful if you have huge amounts of log messages that would be difficult to store otherwise, or if you want to process your messages using Hadoop tools.
Forwarding log messages from SSB to an HDFS destination comprises the following steps:
The syslog-ng Store Box(SSB) application authenticates to the HDFS cluster through a trusted third party, a Kerberos server. Once SSB has been granted a ticket by Kerberos, it is then able to write data to the HDFS servers.
To configure a Kerberos policy
Navigate to Policies > Kerberos and select to create a new policy.
In the Default realm field, enter the name of the Kerberos realm where your SSB resides.
If you have to specify the address of the Key Distribution Center (KDC) server, click first, and then enter the FQDN or IP address of the KDC server that is issuing tickets within your Kerberos realm.
If your DNS server is configured to map Kerberos realms to KDC hostnames, you do not need to specify KDC servers here.
Add a Kerberos principal policy. First, select under Kerberos principals.
Upload the keytab file that contains keys for your principal.
This is the principal that has write access to the HDFS cluster.
The keytab file was provided to you by the Kerberos administrator, and it contains the encrypted key required to authenticate your principal to Kerberos.
Select your principal from the Principal list.
The keytab file you have uploaded may contain keys for several principals. This list displays all the principals with keys in the uploaded keytab file.
Figure 120: Policies > Kerberos — Configuring a Kerberos policy
The following describes how to configure settings related to the HDFS cluster where you want to forward logs.
To configure settings related to the HDFS cluster where you want to forward logs
Navigate to Policies > HDFS Cluster and select Enabled.
Select the Kerberos principal policy configured previously (for details, see Configuring a Kerberos policy).
Upload the Core site XML file of your HDFS cluster. You may have to ask for this file from your HDFS cluster administrator.
Upload the HDFS site XML file of your HDFS cluster. You may have to ask for this file from your HDFS cluster administrator.
The version number of the Hadoop library archive is displayed.
Figure 121: Policies > HDFS Cluster — Configuring the HDFS cluster