Generating partial reports
The following describes how to generate a report manually for a period that has not been already covered in an automatic report.
To generate a report manually for a period that has not been already covered in an automatic report
-
Log in to the syslog-ng Store Box(SSB) web interface, and navigate to Reports > Configuration.
-
Select the report you want to generate.
-
-
To create a report from the last daily report till now, click Generate partial daily report. For example, if you click this button at 11:30 AM, the report will include the period from 00:01 to 11:30.
-
To create a report from the last weekly report till now, click Generate partial weekly report. For example, if you click this button on Wednesday at 11:30 AM, the report will include the period from Monday 00:01 to Wednesday 11:30.
-
To create a report from the last monthly report till now, click Generate partial monthly report. For example, if you click this button at 11:30 AM, December 13, the report will include the period from December 1, 00:01 to December 13, 11:30.
The report will be automatically added in the list of reports (Reports > Generated reports), and also sent in an email to the regular recipients of the report.
-
Click .
Configuring custom reports
The following describes how to configure syslog-ng Store Box(SSB) to create custom reports. Make sure that the user account has read & write/perform access to the use static subchapters privilege.
To configure SSB to create custom reports
-
Log in to the SSB web interface, and navigate to Reports > Configuration.
Figure 214: Reports > Configuration — Configuring custom reports
-
Click and enter a name for the custom report.
-
Reports are organized into chapters and subchapters. To add a new chapter, go to Table of contents, click Add Chapter, enter a name for the chapter, then click OK. Repeat this step to create further chapters if needed.
-
Click Add Subchapter to add various reports and statistics to the chapter. The available reports will be displayed in a pop-up window. The reports created from custom statistics are listed at the end.
-
Use the arrows to change the order of the subchapters if needed.
-
To specify how often SSB should create the report, select the relevant Generate this report every (Day, Week, Month) option. Weekly reports are created on Mondays, while monthly reports on the first day of the month. You can select multiple options simultaneously.
If you want to generate the report only manually, leave this field empty.
-
By default, members of the search group can access the custom reports via the SSB web interface. To change this, enter the name of a different group into the Reports are accessible by the following groups field, or click to grant access to other groups.
NOTE: Members of the listed groups will be able to access only these custom reports even if their groups do not have read access to the Reporting > Reports page. However, only those reports will be listed, to which their group has access.
-
By default, SSB sends out the reports in email to the address set in the Basic Settings > Management > Mail settings > Send reports to field.
NOTE: If this address is not set, the report is sent to the SSB administrator's email address.
-
To disable email sending, unselect the Send reports in e-mail option.
-
To email the reports to a different address, select Recipient > Custom address, and enter the email address where the reports should be sent. Click to list multiple email addresses if needed.
-
Click .
Classifying messages with pattern databases
Classifying messages with pattern databases
Using the pattern database allows you to classify messages into various categories, receive alerts on certain messages, and to collect unknown messages using artificial ignorance.
Figure 215: Log > Pattern Database — Pattern database
Note that the classification of messages is always performed, but its results are used only if you specifically enable the relevant options on the Log > Options page.
Figure 216: Log > Options — Enabling artificial ignorance and pattern-matching alerts
-
To receive alerts on messages classified as Violation, navigate to Log > Options and enable the Alerts option.
-
To receive reports on messages not included in the pattern database, navigate to Log > Options and enable the Artificial ignorance option.
The structure of the pattern database
The pattern database is organized as follows:
Figure 217: The structure of the pattern database
-
The pattern database consists of rulesets. A ruleset consists of a Program Pattern and a set of rules: the rules of a ruleset are applied to log messages if the name of the application that sent the message matches the Program Pattern of the ruleset. The name of the application (the content of the ${PROGRAM} macro) is compared to the Program Patterns of the available rulesets, and then the rules of the matching rulesets are applied to the message.
-
The Program Pattern can be a string that specifies the name of the appliation or the beginning of its name (for example, to match for sendmail, the program pattern can be sendmail, or just send), and the Program Pattern can contain pattern parsers. Note that pattern parsers are completely independent from the syslog-ng parsers used to segment messages. Additionally, every rule has a unique identifier: if a message matches a rule, the identifier of the rule is stored together with the message.
-
Rules consist of a message pattern and a class. The Message Pattern is similar to the Program Pattern, but is applied to the message part of the log message (the content of the ${MESSAGE} macro). If a message pattern matches the message, the class of the rule is assigned to the message (for example, Security, Violation, and so on).
-
Rules can also contain additional information about the matching messages, such as the description of the rule, an URL, name-value pairs, or free-form tags. This information is displayed by the syslog-ng Store Box(SSB) appliance in the e-mail alerts (if alerts are requested for the rule), and are also displayed on the search interface.
-
Patterns can consist of literals (keywords, or rather, keycharacters) and pattern parsers.
NOTE: If the ${PROGRAM} part of a message is empty, rules with an empty Program Pattern are used to classify the message.
If the same Program Pattern is used in multiple rulesets, the rules of these rulesets are merged, and every rule is used to classify the message. Note that message patterns must be unique within the merged rulesets, but the currently only one ruleset is checked for uniqueness.