立即与支持人员聊天
与支持团队交流

syslog-ng Store Box 6.3.0 - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB

Using the values of pattern parsers in filters and templates

Similarly to Using parser results in filters and templates, the results of pattern parsers can be used as well. To accomplish this, you have to add a name to the parser, and then you can use this name as a macro that refers to the parsed value of the message.

For example, you want to parse messages of an application that look like "Transaction: <type>.", where <type> is a string that has different values (for example refused, accepted, incomplete, and so on). To parse these messages, you can use the following pattern:

'Transaction: @ESTRING::.@'

Here the @ESTRING@ parser parses the message until the next full stop character. To use the results in a filter or a filename template, include a name in the parser of the pattern, for example:

'Transaction:
            @ESTRING:TRANSACTIONTYPE:.@'

After that, add a custom template to the logpath that uses this template. For example, to select every accepted transaction, use the following custom filter in the log path:

match("accepted" value("TRANSACTIONTYPE"));
NOTE:

The above macros can be used in database columns and filename templates as well, if you create custom templates for the destination or logspace.

The SSB RPC API

The syslog-ng Store Box(SSB) application can be accessed using a Remote-Procedure Call Application Programming Interface (RPC API).

The SSB RPC API allows you to access and query SSB logspaces from remote applications. You can access the API using a RESTful protocol over HTTPS, meaning that you can use any programming language that has access to a RESTful HTTPS client to integrate SSB to your environment. Sample shell code snippets are provided in the API documentation.

Accessing SSB with the RPC API offers several advantages:

  • Integration into custom applications and environments

  • Flexible, dynamic search queries

SSB prevents brute force attacks when logging in. If you repeatedly try logging in to SSB using incorrect login details within a short period of time (10 times within 60 seconds), the source IP gets blocked for 5 minutes.

Requirements for using the RPC API

To access syslog-ng Store Box(SSB) using the RPC API, the following requirements must be met:

  • The appliance can be accessed using a RESTful protocol over authenticated HTTPS connections.

  • The user account used to access SSB via RPC must have Search privilege (which provides access to all logspaces), or must be a member of the groups listed in the Access Control option of the particular logspace. For details on managing user privileges, see Modifying group privileges.

RPC client requirements

The client application used to access syslog-ng Store Box(SSB) must meet the following criteria:

  • Support RESTful web APIs over HTTPS

  • Properly handle complex object types

  • Include a JSON decoder for interpreting the results of search operations

相关文档