Chat now with support
Chat with Support

syslog-ng Store Box 6.9.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Forwarding log messages to Splunk

This section describes how to forward messages from syslog-ng Store Box (SSB) to Splunk.

From version 6.6.0, SSB uses the syslog-ng Premium Edition (syslog-ng PE) application's support to post messages to a Splunk deployment in JSON format, using the HTTP Event Collector (HEC) over HTTP and Secure HTTP (HTTPS).

For further details about how the application forwards messages to Splunk, see splunk-hec: Sending messages to Splunk HTTP Event Collector in the syslog-ng PE Administration Guide.


This section describes the prerequisites for forwarding messages from syslog-ng Store Box (SSB) to Splunk.

  • On your Splunk deployment
    • You must enable HTTP Event Collector (HEC).

    • You must create a token for SSB.

      NOTE: One Identity recommends that you use the default syslog source type for the token.

    For details about enabling HEC and creating a token on your Splunk deployment, see Set up and use HTTP Event Collector in Splunk Web.

  • On the SSB appliance
    • If you want to use Peer verification for your Splunk destination, consider that the CA certificate must be added under Log > Options > TLS settings before you enable Peer verification under Log > Destination > <your-splunk-destination> > Transport > HTTPS connection settings > Verification.


This section describes the limitations for forwarding messages from syslog-ng Store Box (SSB) to Splunk.

  • Messages with HTTP 400 response code will be dropped

    If the message sent to Splunk is invalid, Splunk will reply with an HTTP 400 response code.

    The message can be invalid for either of these reasons:

    • A required argument is missing from the message.

    • The message size exceeds limits.

    • The message itself has an invalid format.

    In these cases, SSB cannot successfully send the messages to Splunk. These messages would prevent SSB from sending further messages to the messaging service, therefore SSB must drop them.

  • IP address limitation

    IPv6 addresses are not supported as HTTP Event Collector (HEC) URLs.

  • Proxy type limitations

    Only HTTP proxy types are supported.

  • Authenticated proxy types are not supported.

  • Batch-bytes unit of measurement limitation

    When configuring performance-related settings, you must enter the value of Batch-bytes in bytes.

Transport settings for the Splunk destination

This section describes how you can configure the transport settings (HTTP or HTTPS transport) for your Splunk destination.

To configure the transport settings for your Splunk destination

  1. Navigate to Log > Destinations and select to create a new destination.

  2. Select Splunk destination.

    Figure 164: Log > Destinations > <your-splunk-destination> - Creating your new Splunk destination

  3. Select the transport type (HTTP connection settings or HTTPS connection settings) that you want to use for your Splunk destination, then continue configuring the respective connection type settings.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating