立即与支持人员聊天
与支持团队交流

syslog-ng Store Box 7.0.4 LTS - Administration Guide

Preface Introduction The concepts of SSB The Welcome Wizard and the first login Basic settings User management and access control Managing SSB Configuring message sources Storing messages on SSB Forwarding messages from SSB Log paths: routing and processing messages Configuring syslog-ng options Searching log messages Searching the internal messages of SSB Classifying messages with pattern databases The SSB RPC API Monitoring SSB Troubleshooting SSB Security checklist for configuring SSB Glossary

Configuring the Transport options for your Syslog type message source

Under Log > Sources > your-new-source > Syslog > Transport, you can customize your Transport settings for your Syslog type message source.

To customize your Transport settings for your Syslog type message source

  1. Navigate to Log > Sources > your-new-source > Syslog > Transport.

    Figure 124: Log > Sources > your-new-source > Syslog > Transport — Configuring transport options for your Syslog type message source

  2. In the Transport field, select the networking protocol (UDP, TCP, TLS, ALTP or ALTP TLS) that your clients use to transfer the messages to syslog-ng Store Box (SSB).

  3. In case of UDP, TCP or TLS: select the Syslog protocol used by the clients from the Incoming log protocol and message format section. The ALTP and ALTP TLS sources only work with the IETF-syslog protocol.

    • If the clients use the legacy BSD-syslog protocol (RFC3164), select Legacy (BSD-syslog, RFC3164). This protocol is supported by most devices and applications capable to send syslog messages.

    • If the clients use the new IETF-syslog protocol (for example the clients are syslog-ng 3.0 applications that use the syslog driver, or other drivers with the flags(syslog-protocol) option), select Syslog (IETF-syslog, RFC 5452).

    To disable Syslog message parsing and store the complete log in the message part, select Do not parse. It is useful if incoming messages do not comply with the Syslog format.

  4. When using TLS, SSB displays a certificate to the client. This certificate can be set at Log > Options > TLS settings (for details, see Setting the certificates used in TLS-encrypted log transport). Optionally, SSB can perform mutual authentication and request and verify the certificate of the remote host (peer). Select the verification method to use from the Peer verification field.

    • None: Do not request a certificate from the remote host, and accept any certificate if the host sends one.

    • Optional trusted: If the remote host sends a certificate, SSB checks if it is valid (not expired) and that the Common Name of the certificate contains the domain name or the IP address of the host. If these checks fail, SSB rejects the connection. However, SSB accepts the connection if the host does not send a certificate.

    • Optional untrusted: Accept any certificate shown by the remote host. Note that the host must show a certificate.

    • Required trusted (default setting): Verify the certificate of the remote host. Only valid certificates signed by a trusted certificate authority are accepted. See Uploading external certificates to SSB for details on importing CA certificates. Note that the Common Name of the certificate must contain the domain name or the IP address of the host.

    • Required untrusted: SSB requests a certificate from the remote host, and rejects the connection if no certificate is received. However, SSB accepts the connection if:

      • the certificate is not valid (expired), or

      • the Common Name of the certificate does not contain the domain name or the IP address of the host.

    When using ALTP TLS, SSB only accepts Required-trusted peer verification.

    NOTE: For details on ALTP, see Advanced Log Transfer Protocol.

    Caution:

    UDP is a highly unreliable protocol, when using UDP, a large number of messages may be lost without any warning. Use TCP, TLS or ALTP whenever possible.

  5. Configure other, source-related options in the Other source options section, depending on what transport you have selected.

    • When using TCP or TLS, you can set the maximum number of parallel connections in the Maximum connections field. This option corresponds to the max_connections() syslog-ng parameter.

      In case of ALTP or ALTP TLS: enter the number of maximum connections. The default value is 1000 connections. Select Allow compression to allow compression on level 6. Compression level cannot be changed.

    • When using TLS or ALTP TLS, configure the strength of the allowed cipher suites using one of the following options:

      • Compatible: It is a large set of cipher suites determined by the following cipher string:

        ALL:!aNULL:!eNULL

        The Compatible setting may allow permitting (and hence not safe) cipher suites for the Transport Layer Security (TLS) negotiations.

      • Secure: A smaller and more strict set of cipher suites where vulnerable cryptographic algorithms are eliminated. This cipher suite set is determined by the following cipher string:

        HIGH:!COMPLEMENTOFDEFAULT:!aNULL:!eNULL:!DHE-RSA-AES128-SHA:!DHE-RSA-AES256-SHA:!ECDHE-RSA-AES128-SHA:!ECDHE-RSA-AES256-SHA:!AES128-SHA:!AES256-SHA
  6. (Optional) Customize the number of your Maximum connections.

Configuring the Hostname and timestamp-related settings for your Syslog type message source

Under Log > Sources > <your-new-source> > Syslog > Hostname and timestamp-related settings, you can first customize your settings related to hostnames and timestamps for your Syslog type message source.

To customize your settings related to hostnames and timestamps for your Syslog type message source

  1. Navigate to Log > Sources > <your-new-source> > Syslog > Hostname and timestamp-related settings.

    Figure 125: Log > Sources > <your-new-source> > Syslog > Hostname and timestamp-related settings — Customizing your settings related to hostnames and timestamps for your Syslog type message source

  2. In the Hostname and time stamp related settings section, configure the following, based on your preferences:

    • To accept messages only from selected hosts, create a hostlist and select it in the Hostlist field. For details on creating hostlists, see Creating hostlist policies.

    • Set the Timezone option of the incoming messages if needed.

    • If the information sent by the hosts to this source can be trusted, enable the Trusted option. The syslog-ng Store Box (SSB) appliance keeps the time stamps and the hostname of the messages sent by trusted clients. This corresponds to enabling the keep_timestamp() and keep_hostname() syslog-ng Premium Edition (syslog-ng PE) options for the source.

    • Select the Use FQDN option if you wish to store the full domain name of the sender host.

  3. Select the name resolving method to use from the Use DNS field.

    • To allow using DNS, select Yes.

    • To disable using DNS, select No.

    • To only allow using DNS when using a persistent configuration, select Only from persistent configuration.

Configuring the Monitoring settings for your Syslog type message source

Under Log > Sources > your-new-source > Syslog > Monitoring, you can customize your monitoring settings for your Syslog type message source.

To customize your settings related to monitoring for your Syslog type message source

  1. Navigate to Log > Sources > your-new-source > Syslog > Monitoring.

    Log > Sources > your-new-source > Syslog > Monitoring.

    Figure 126: Log > Sources > your-new-source > Syslog > Monitoring — Customizing your monitoring settings your own, customized Syslog type message source

  2. (Optional) Enable Message rate alerting.

  3. Select the basis of your alerts under Counter.

  4. Select the frequency of alerts (in minutes) under Period.

  5. Specify the amount of alerts you want to receive within the specified Period (ranging between the minimum and maximum numbers of your choice) under Minimum and Maximum.

  6. Select the alerting frequency in the Alert field.

    Once sends only one alert (and after the problem is fixed, a "Fixed" message).

    Always sends an alert each time the result of the measurement falls outside the preset range.

  7. (Optional) To set the configured alert settings as your default, enable Master alert.

  8. (Optional) To leave the Log > Sources > your-new-source > SQL > Monitoring page and customize Message rate alerting statistics settings that apply to the entire syslog-ng Store Box (SSB) appliance, clicking Global settings takes you to Log > Options > Message rate alerting statistics.

    For more information about the configurable settings you can customize under Log > Options > Message rate alerting statistics, see Configuring message rate alerting.

NOTE: You can configure multiple alerts under Monitoring and pick the alert of your choice as your Master alert. To add a new alert under Message rate alerting, click . To delete a redundant alert, click .

  1. To configure Message rate alerting for the source, see Configuring message rate alerting.

  2. Set the character Encoding option of the incoming messages if needed.

  3. Click .

    NOTE: In order to actually store the messages arriving to this source, you have to include this source in a log path. For details, see Log paths: routing and processing messages.

  4. (Optional) If you want to receive messages using the ALTP or ALTP TLS protocol, make sure that you have configured your syslog-ng PE clients to transfer the messages to SSB using ALTP or ALTP TPS protocol. For details, see Advanced Log Transfer Protocol.

Customizing encoding for your Syslog type message source

Under Log > Sources > <your-new-source> > Syslog > Other options, you can customize your encoding preferences for your Syslog type message source.

To customize your encoding preferences for your Syslog type message source

  1. Navigate to Log > Sources > <your-new-source> > Syslog > Other options.

    Figure 127: Log > Sources > <your-new-source> > Syslog > Other options — customizing your encoding preferences for your Syslog type message source

  2. Select the Encoding type you want the Syslog source type to use.

相关文档

The document was helpful.

选择评级

I easily found the information I needed.

选择评级