Filtered logspaces allow you to create a smaller, filtered subset of the logs contained in an existing local, remote or multiple logspace. Assigning a user group to a filtered logspace enables fine grained access control by creating a group which sees only a subset of the logs from a logspace.
You can use the same search expressions and logic as on the Search interface to create a filtered logspace. In the following example, we have configured a filtered logspace that only contains messages from syslog-ng:
NOTE: The filtered logspace is only a view of the base logspace. The log messages are still stored in the base logspace (if the base logspace is a remote logspace, the log messages are stored on the remote syslog-ng Store Box (SSB) appliance). Therefore, you cannot alter any configuration parameters of the logspace directly. To do this, navigate to the base logspace itself.
NOTE: If there are any multiple logspaces using your logspace as a member logspace, the multiple logspaces in question will be listed under Multiple logspaces using this as member. The list items are clickable links that will take you directly to the logspaces on the SSB web interface.
This list is only visible on the SSB web interface for Logspaces, Filtered Logspaces, Multiple Logspaces, and Remote Logspaces if they are member logspaces in any multiple logspaces.
Figure 134: Log > Filtered Logspaces — Filtered logspaces
To create filtered logspaces
-
Navigate to Log > Filtered Logspaces and click
.
-
Enter a name for the logspace into the top field. Use descriptive names that help you to identify the source easily. Note that the name of the logspace must begin with a number or a letter.
-
Choose which logspace to filter in Base logspace.
-
Enter the search expression in the Filter field.
You can create complex searches using wildcards and boolean expressions. For more information and practical examples, see Using complex search queries.
NOTE: SSB only indexes the first 59 characters of every name-value pair (parameter). This has two consequences:
-
If the parameter is longer than 59 characters, an exact search might deliver multiple, imprecise results.
Consider the following example. If the parameter is:
.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345
SSB indexes it only as:
.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-
This corresponds to the first 59 characters. As a result, searching for:
nvpair:.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345
returns all log messages that contain:
.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-
-
Using wildcards might lead to the omission of certain messages from the search results.
Using the same example as above, searching for the value:
nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-12345
does not return any results (as the 12345 part was not indexed). Instead, you have to search for:
nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-*
This, as explained above, might find multiple results.
-
-
By default, members of the search group can view the stored messages online. Use the Access control option to control which usergroups can access the logspace. For details, see also Managing user rights and usergroups.
-
Click
.