Chat now with support
Chat with Support

syslog-ng Store Box 7.3.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Configuring the Google Pub/Sub destination: Performance-related settings

This section describes configuring the performance-related settings of your Google Pub/Sub destination after you finish configuring the authentication and workspace settings and the advanced message parameters for the Google Pub/Sub destination.

NOTE: This section and the other Google Pub/Sub-related sections in this documentation are based on Google Pub/Sub messaging service concepts and terminology. If you do not use the Google Pub/Sub messaging service on a regular basis, One Identity recommends that you read the Google Pub/Sub overview documentation in the Google Pub/Sub online documentation to familiarize yourself with the messaging service's concepts and terminology before you continue reading these sections.

To configure the performance-related settings of your Google Pub/Sub destination

  1. Navigate to Log > Destination > <your-pubsub-destination> > Performance-related settings.

    Figure 186: Log > Destination > <your-pubsub-destination> — Configuring the authentication and workspace settings

  2. In the Number of workers field, set the number of worker threads that you want SSB to use when sending messages to the server.

    CAUTION: Hazard of data loss!

    When you use more than one worker threads together with disk-buffering enabled, consider that the syslog-ng PE application behind SSB creates a separate disk-buffer file for each worker thread. This means that decreasing the number of workers can result in losing data currently stored in the disk-buffer files. To avoid data loss, One Identity recommends that you do not decrease the number of workers when the disk-buffer files are in use.

    NOTE: Increasing the number of worker threads can drastically improve the performance of the destination.

  3. In the Timeout field, specify the timeout (in seconds) that you want SSB to wait for an operation to complete, and then attempt to reconnect the server if the configured timeout limit is exceeded.

    The default value of the Timeout setting is 0, which means that it is disabled by default.

  4. In the Batch lines field, specify how many lines you want SSB to flush to a destination in one batch.

    For further information on the maximum number of Batch lines, see the Publish request limit at Cloud Pub/Sub > Documentation > Resources > Quotas and limits > Resource limits.

    NOTE: SSB waits for the configured number of lines to accumulate, and when this number is reached, SSB sends the message lines to the destination in a single batch. For example, if you set Batch lines to 100, SSB waits for 100 message lines before sending them in one batch.

    NOTE: Consider the following when configuring the number of batch lines:

    • Increasing the number of batch lines increases throughput (because more messages are sent in a single batch), but also increases message latency.

    • If the Batch-timeout option is disabled, the syslog-ng PE application behind SSB flushes the messages if it has sent the number of messages specified in Batch lines, or the queue became empty. If you stop or reload the syslog-ng PE application behind SSB, or if in case of network sources, the connection with the client is closed, the syslog-ng PE behind SSB automatically sends the unsent messages to the destination.

    • If the Batch-timeout option is enabled and the queue becomes empty, SSB flushes the messages only if Batch timeout expires, or if the batch reaches the limit set in Batch lines.

    NOTE: Depending on your source configuration settings, your batch may not reach the Batch lines limit before your queue becomes empty, and SSB forwards your messages.

  5. In the Batch-bytes field, set the maximum size of payload in a batch (in bytes).

    For the maximum value of Batch-bytes, see the Publish request limit at Cloud Pub/Sub > Documentation > Resources > Quotas and limits > Resource limits.

    NOTE: When configuring Batch-bytes, consider the following:

    • If the size of the messages reaches this value, the syslog-ng PE application behind SSB sends the batch the Google Pub/Sub messaging service even if the number of messages is less than the value you configure in the Batch-bytes field.

    • If Batch-timeout is enabled and the queue becomes empty, SSB flushes the messages only if Batch-timeout value expires, or if the message batch reaches the limit set in the Batch-bytes field.

  6. (Optional) Select Batch-timeout, and in the Batch-timeout value field, specify the time SSB waits for Batch lines to accumulate in the output buffer.

    SSB sends batches to the destinations evenly. The timer starts when the first message arrives to the buffer, so if only few messages arrive, SSB sends messages to the destination once every Batch timeout milliseconds at most.

Forwarding log messages to Splunk

This section describes how to forward messages from syslog-ng Store Box (SSB) to Splunk.

From version 6.6.0, SSB uses the syslog-ng Premium Edition (syslog-ng PE) application's support to post messages to a Splunk deployment in JSON format, using the HTTP Event Collector (HEC) over HTTP and Secure HTTP (HTTPS).

For further details about how the application forwards messages to Splunk, see splunk-hec: Sending messages to Splunk HTTP Event Collector in the syslog-ng PE Administration Guide.

Prerequisites

This section describes the prerequisites for forwarding messages from syslog-ng Store Box (SSB) to Splunk.

  • On your Splunk deployment

    • You must enable HTTP Event Collector (HEC).

    • You must create a token for SSB.

      NOTE: One Identity recommends that you use the default syslog source type for the token.

    For more information about enabling HEC and creating a token on your Splunk deployment, see Set up and use HTTP Event Collector in Splunk Web in the Splunk online documentation.

  • On the SSB appliance

    • If you want to use Peer verification for your Splunk destination, consider that the CA certificate must be added under Log > Options > TLS settings before you enable Peer verification under Log > Destination > your-splunk-destination > Transport > HTTPS connection settings > Verification.

Limitations

This section describes the limitations for forwarding messages from syslog-ng Store Box (SSB) to Splunk.

  • Messages with HTTP 400 response code will be dropped

    If the message sent to Splunk is invalid, Splunk will reply with an HTTP 400 response code.

    The message can be invalid for either of these reasons:

    • A required argument is missing from the message.

    • The message size exceeds limits.

    • The message itself has an invalid format.

    In these cases, SSB cannot successfully send the messages to Splunk. These messages would prevent SSB from sending further messages to the messaging service, therefore SSB must drop them.

  • IP address limitation

    IPv6 addresses are not supported as HTTP Event Collector (HEC) URLs.

  • Proxy type limitations

    Only HTTP proxy types are supported.

  • Authenticated proxy types are not supported.

  • Batch-bytes unit of measurement limitation

    When configuring performance-related settings, you must enter the value of Batch-bytes in bytes.

Related Documents

The document was helpful.

Select Rating

I easily found the information I needed.

Select Rating