立即与支持人员聊天
与支持团队交流

syslog-ng Store Box 6.10.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Assigning decryption keys to a logstore

You can add a private key (or set of keys) to a logstore, and use these keys to decrypt the logstore files. This way, anyone who has the right to search a particular logspace can search the messages. These decryption keys are stored unencrypted in the syslog-ng Store Box(SSB) configuration file.

As this may raise security concerns, avoid this solution unless absolutely necessary.

To assign decryption keys to a logstore

  1. Navigate to Log > Logspaces and select the encrypted logspace you want to make searchable for every user via the SSB web interface.

  2. Select Decryption private keys > . A pop-up window is displayed.

    Figure 217: Log > Logspaces — Adding decryption keys to a logstore

  3. Paste or upload the private key of the certificate used to encrypt the logstore.

  4. Repeat Steps 2-3 to upload additional keys if needed.

    An additional key is needed when the certificate used to encrypt a logstore expires. When this happens, you have to upload a new certificate. However, to be able to read the logstore encrypted with the old (expired) certificate(s), you need to keep the old encryption key(s) with the new one.

  5. Click .

Creating custom statistics from log data

The syslog-ng Store Box(SSB) appliance can create statistics from the Facility, Priority, Program, Pid, Host, Tags, and .classifier.class columns. Use Customize columns to add the required column, if necessary.

NOTE: The .classifier.class data is the class assigned to the message when pattern database is used. For details, see "Classifying messages with pattern databases" in the Administration Guide. The pattern databases provided by One Identity currently use the following message classes by default: system, security, violation, or unknown.

You can display statistics on the web interface, export the related data as CSV, and also save the statistics to include in a report.

Displaying log statistics

To display statistics about the log messages, click the icon in the appropriate header of the table.

You can choose from Bar chart or Pie chart & List.

NOTE: For performance reasons, when creating statistics for a Multiple Logspace (see "Creating multiple logspaces" in the Administration Guide), syslog-ng Store Box(SSB) does not create statistics if the data upon which the statistics is based (for example, the hostname) has over 1000 entries in any of the member logspaces. In this case, SSB displays the Number of member statistics has too many entries error message.

Figure 218: Search > Logspaces — Displaying log statistics as Bar chart

In Pie chart & List view, percentages add up to 100%. The only exception to this is when statistics are based on Tags. Since statistics are provided for tags rather than messages, when messages have multiple tags, the percentages may add up to more than 100%.

Figure 219: Search > Logspaces — Displaying log statistics as Pie chart & List

Statistics will show the item with the largest number of entries first. To display the item with the least number of entries first, select Least.

NOTE: When navigating to the "future" in the search bar, it is possible that the number of logs displayed in the Search results differs from the number of logs displayed in the Count part of the Host pie chart.

To avoid this, do not navigate to the "future".

If this has already happened, save the search expression that you have used somewhere, and then refresh the page by clicking Log > Search again. Note that it will display the original state of the Search page, meaning that for example it will remove all search expressions that you have entered before.

You can export these statistics in CSV format using the Export all to CSV option, or you can include them in reports as a subchapter.

Caution:

Do not use Export all to CSV to export large amounts of data, as exporting data can be very slow, especially if the system is under heavy load. If you regularly need a large portion of your data in plain text format, consider using the syslog-ng Store Box(SSB) RPC API (for details, see "The SSB RPC API" in the Administration Guide), or sharing the log files on the network and processing them with external tools (for details, see "Accessing log files across the network" in the Administration Guide).

Creating reports from custom statistics

You can save log statistics to include them in reports as a subchapter.

Figure 220: Search > Logspaces — Creating reports from custom log statistics

  1. In the Statistics view, click Report settings.

  2. Add a name for the statistics in the Report subchapter name field.

  3. Select the Visualization for the report: List, Pie chart, or Bar chart.

  4. Choose how the entries are sorted: descending (Top) or ascending (Least).

  5. Choose the Number of entries to include.

    NOTE: Selecting All includes only the first 1000 results. The remaining results are aggregated as 'others'.

    NOTE: For performance reasons, when creating statistics for a Multiple Logspace (see "Creating multiple logspaces" in the Administration Guide), syslog-ng Store Box(SSB) does not create statistics if the data upon which the statistics is based (for example, the hostname) has over 1000 entries in any of the member logspaces. In this case, SSB displays the Number of member statistics has too many entries error message.

  6. Select the user group that can access the subchapter in the Grant access for the following user groups field.

  7. Click Save as Report subchapter.

  8. To add the saved subchapter to a report, follow the instructions provided in Configuring custom reports.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级