Chat now with support
Chat with Support

syslog-ng Store Box 6.3.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB

Using persistent decryption keys

You can upload decryption keys and bind them to your account. The decryption keys are stored on syslog-ng Store Box(SSB), but they are only made available for this user account, and can also be protected (encrypted) with a passphrase.

To use persistent decryption keys

  1. Select User menu > Private keystore. A pop-up window is displayed.

  2. Select Permanent > , then select Certificate > . A pop-up window is displayed.

    Figure 147: User menu > Private keystore — Adding decryption keys to the private keystore

  3. Paste or upload the certificate used to encrypt the logstore.

  4. Select Key > . A pop-up window is displayed.

  5. Paste or upload the private key of the certificate used to encrypt the logstore.

  6. Repeat Steps 2-5 to upload additional keys if needed.

  7. Select Security passphrase > Change, and enter a passphrase to protect the private keys.

    Figure 148: User menu > Private keystore — Securing the private keystore with a passphrase

  8. Click Apply.

Using session-only decryption keys

You can upload decryption keys to browse encrypted logspaces for the duration of the session only. These keys are automatically deleted when you log out from syslog-ng Store Box(SSB).

To use session-only decryption keys

  1. Select User menu > Private keystore. A pop-up window is displayed.

  2. Select Temporary > , then select Certificate > . A pop-up window is displayed.

    Figure 149: User menu > Private keystore — Adding decryption keys to the private keystore

  3. Paste or upload the certificate used to encrypt the logstore.

  4. Select Key > . A pop-up window is displayed.

  5. Paste or upload the private key of the certificate used to encrypt the logstore.

  6. Repeat Steps 2-5 to upload additional keys if needed.

  7. Click Apply.

Assigning decryption keys to a logstore

You can add a private key (or set of keys) to a logstore, and use these keys to decrypt the logstore files. This way, anyone who has the right to search a particular logspace can search the messages. These decryption keys are stored unencrypted in the syslog-ng Store Box(SSB) configuration file.

As this may raise security concerns, avoid this solution unless absolutely necessary.

To assign decryption keys to a logstore

  1. Navigate to Log > Logspaces and select the encrypted logspace you want to make searchable for every user via the SSB web interface.

  2. Select Decryption private keys > . A pop-up window is displayed.

    Figure 150: Log > Logspaces — Adding decryption keys to a logstore

  3. Paste or upload the private key of the certificate used to encrypt the logstore.

  4. Repeat Steps 2-3 to upload additional keys if needed.

    An additional key is needed when the certificate used to encrypt a logstore expires. When this happens, you have to upload a new certificate. However, to be able to read the logstore encrypted with the old (expired) certificate(s), you need to keep the old encryption key(s) with the new one.

  5. Click Commit.

Creating custom statistics from log data

The syslog-ng Store Box(SSB) application can create statistics from the Facility, Priority, Program, Pid, Host, Tags, and .classifier.class columns. Use Customize columns to add the required column, if necessary.

NOTE:

The .classifier.class data is the class assigned to the message when pattern database is used. For details, see "Classifying messages with pattern databases" in the Administration Guide. The pattern databases provided by One Identity currently use the following message classes by default: system, security, violation, or unknown.

You can display statistics on the web interface, export the related data as CSV, and also save the statistics to include in a report.

Related Documents