Chat now with support
Chat with Support

syslog-ng Store Box 6.3.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB

Documentation of the RPC API

The documentation of the syslog-ng Store Box(SSB) RPC API is available online from the following URL: https://<ip-address-of-SSB>/api/4/documentation. This documentation contains the detailed description of public calls, with examples. For a quickstart guide, see RPC API Quickstart Guide.

Monitoring SSB

This section describes monitoring syslog-ng Store Box(SSB).

If you intend to monitor SSB, the general rules of monitoring an Ubuntu system apply.

Depending on your monitoring tool, check out the available SNMP templates related to your system, and use those to monitor the general parts of SSB.

Topics:

Caution:

Do not install any monitoring agent on the SSB appliance. Any alteration to the system is unsupported.

For details on receiving e-mail alerts or SNMP traps on health- and system-related issues, see Configuring system monitoring on SSB.

For details on SNMP communities, see View node ID and community.

Monitoring SSB's disk

SNMP object: HOST-RESOURCES-MIB::hrStorageTable

Community (v2c) /

Context (v3)

Data and system

This section describes monitoring syslog-ng Store Box(SSB)'s disk usage. Disk usage is measured per mountpoint (that is, partition).

Data partition
Mountpoint /mnt/firmware
Partition data partition
Community

<community-of-extended-node> (Basic Settings > Monitoring > SNMP agent settings > Community)

Context "" (empty string)

Free disk space that can be acquired by your main production system (for example, logspaces).

To make sure that you have the free disk space you are comfortable with, monitor the free disk space. This partition can fill up with for example the following:

  • received logs

  • generated reports

  • collected statistics

  • core dumps

If you cannot keep your free disk space in your comfortable interval (with scheduled cleanups) you probably need to purchase more SSB appliances. For assistance, contact our Support Team.

NOTE:

If you have configured Basic Settings > Management > Disk space fill up prevention, be aware that SSB will stop receiving log after reaching the configured threshold. By default, clients are disconnected when disks are 90 percent full. For details, see Preventing disk space fill up.

For which systems and configurations is it applicable? Applicable for all configurations and systems.
Value change frequency The file system's available space is continuously decreasing, depending on logspaces, reports, statistics, and core files.
Related issues and issue indicators The monitored values may indicate that the used storage space has reached the level configured under Basic Settings > Management > Disk space fill up prevention. In this case, archiving starts (if archiving is configured), and incoming logs are rejected. Note that if the disk fill up prevention level is reached too often and too soon, it indicates a serious issue.

Caution:

Hazard of data loss If the used storage space of the file system under /mnt/firmware exceeds the allowed rate configured under Basic Settings > Management > Disk space fill up prevention, SSB will stop receiving log messages. To avoid data loss, archive your logs or store them in some other way (for example, forward your log messages to different logstores). Alternatively, reconsider your configuration settings, upgrading the capacity of your SSB appliance, or purchasing more SSB appliances.

Solution:

System partition
Mountpoint /initrd/mnt
Partition system partition (if SSB is in HA mode, the system firmware partition of both nodes)
Community <id-of-the-node>
Context <id-of-the-node>

The space on this mountpoint is required only by the system. Generally, this is independent from how you use SSB. The only important thing here to have some free space on the mountpoint.

Make sure that you have some free space on this mountpoint. As a recommended threshold, set a trigger to 80% in your monitoring system. If there is only about 20% free space left on this mountpoint, contact our Support Team.

NOTE:

Monitoring the size of specific logspaces is not possible this way. If you are interested in the size of a specific logspace, you can configure a size limit alert for that logspace on the SSB web interface. For details on configuring a disk size alert for a specific logspace, see Creating logstores.

For which systems and configurations is it applicable? Applicable for all configurations and systems.
Value change frequency The available storage space is not supposed to decrease significantly.
Related issues and issue indicators The monitored values may indicate that the system is out of storage space, or that the available storage space is running very low.

Caution:

Hazard of data loss If the used storage space of the file system under /mnt/firmware exceeds the allowed rate configured under Basic Settings > Management > Disk space fill up prevention, SSB will stop receiving log messages. To avoid data loss, archive your logs or store them in some other way (for example, forward your log messages to different logstores). Alternatively, reconsider your configuration settings, upgrading the capacity of your SSB appliance, or purchasing more SSB appliances.

Solution:

If you encounter an issue related to the file system under /initrd/mnt, contact our Support Team.

Monitoring SSB's memory

Swap usage
SNMP object:
  • UCD-SNMP-MIB::memTotalSwap

  • UCD-SNMP-MIB::memAvailSwap

Community (v2c) /

Context (v3)

Data and system

The syslog-ng Store Box(SSB) application is using swap (except on Azure) as part of its normal operation.

You can receive swap usage alerts by configuring an alert on Basic Settings > Alerting. For details, see Configuring system monitoring on SSB.

For which systems and configurations is it applicable? Applicable for all configurations and systems.
Value change frequency Its value is continuously changing.
Related issues and issue indicators If the computed returned value is close to 0, memory usage is too high.

Solution:

  • Decrease load.
  • Purchase a new SSB appliance.

Memory usage
SNMP object:
  • UCD-SNMP-MIB::memTotalReal

  • UCD-SNMP-MIB::memAvailReal

Community (v2c) /

Context (v3)

Data and system

If SSB's memory and swap usage are both above 90%, fine-tune your configuration or purchase more SSB appliances to balance the load. For assistance, contact our Support Team.

For which systems and configurations is it applicable? Applicable for all configurations and systems.
Value change frequency Its value is continuously changing.
Related issues and issue indicators If the computed returned value is close to 0, memory usage is too high.

Solution:

  • Decrease load.
  • Purchase a new SSB appliance.
Related Documents