One identity Syslog-ng store box 5.3.0 User manual



syslog-ngStoreBox5.3.0

UserGuide

Thisguidecontainsproprietaryinformationprotectedbycopyright.Thesoftwaredescribedinthisguide

isfurnishedunderasoftwarelicenseornondisclosureagreement.Thissoftwaremaybeusedorcopied

onlyinaccordancewiththetermsoftheapplicableagreement.Nopartofthisguidemaybereproduced

ortransmittedinanyformorbyanymeans,electronicormechanical,includingphotocopyingand

recordingforanypurposeotherthanthepurchaser’spersonalusewithoutthewrittenpermissionof

OneIdentityLLC.

TheinformationinthisdocumentisprovidedinconnectionwithOneIdentityproducts.Nolicense,

expressorimplied,byestoppelorotherwise,toanyintellectualpropertyrightisgrantedbythis

documentorinconnectionwiththesaleofOneIdentityLLCproducts.EXCEPTASSETFORTHINTHE

TERMSANDCONDITIONSASSPECIFIEDINTHELICENSEAGREEMENTFORTHISPRODUCT,

ONEIDENTITYASSUMESNOLIABILITYWHATSOEVERANDDISCLAIMSANYEXPRESS,IMPLIEDOR

STATUTORYWARRANTYRELATINGTOITSPRODUCTSINCLUDING,BUTNOTLIMITEDTO,THE

IMPLIEDWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ORNON-

INFRINGEMENT.INNOEVENTSHALLONEIDENTITYBELIABLEFORANYDIRECT,INDIRECT,

CONSEQUENTIAL,PUNITIVE,SPECIALORINCIDENTALDAMAGES(INCLUDING,WITHOUT

LIMITATION,DAMAGESFORLOSSOFPROFITS,BUSINESSINTERRUPTIONORLOSSOF

INFORMATION)ARISINGOUTOFTHEUSEORINABILITYTOUSETHISDOCUMENT,EVENIF

ONEIDENTITYHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.OneIdentitymakesno

representationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthis

documentandreservestherighttomakechangestospecificationsandproductdescriptionsatany

timewithoutnotice.OneIdentitydoesnotmakeanycommitmenttoupdatetheinformation

containedinthisdocument.

Ifyouhaveanyquestionsregardingyourpotentialuseofthismaterial,contact:

OneIdentityLLC.

Attn:LEGALDept

4PolarisWay

AlisoViejo,CA92656

RefertoourWebsite(http://www.OneIdentity.com)forregionalandinternationalofficeinformation.

Patents

OneIdentityisproudofouradvancedtechnology.Patentsandpendingpatentsmayapplytothis

product.Forthemostcurrentinformationaboutapplicablepatentsforthisproduct,pleasevisitour

websiteathttp://www.OneIdentity.com/legal/patents.aspx.

Trademarks

OneIdentityandtheOneIdentitylogoaretrademarksandregisteredtrademarksofOneIdentity

LLC.intheU.S.A.andothercountries.ForacompletelistofOneIdentitytrademarks,pleasevisit

ourwebsiteatwww.OneIdentity.com/legal.Allothertrademarksarethepropertyoftheir

respectiveowners.

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal

injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if

instructions are not followed.

IMPORTANT,NOTE,TIP,MOBILE,orVIDEO:Aninformationiconindicatessupporting

information.

SSBUserGuide

Updated-April2019

Version-5.3.0

Contents

Preface 5

Targetaudienceandprerequisites 5

Introduction 6

WhatSSBis 6

WhatSSBisnot 7

WhyisSSBneeded 7

WhousesSSB 8

SSB web interface 9

Supportedwebbrowsers 9

Searching log messages 11

Usingthesearchinterface 11

Customizingcolumnsofthelogmessagesearchinterface 18

Metadatacollectedaboutlogmessages 19

Usingcomplexsearchqueries 20

Searchingencryptedlogspaces 27

Usingpersistentdecryptionkeys 28

Usingsession-onlydecryptionkeys 29

Creating reports from log data 31

Creatingcustomstatisticsfromlogdata 31

Displayinglogstatistics 31

Creatingreportsfromcustomstatistics 34

Configuringcustomreports 35

Browsingreports 37

Creating content-based alerts 39

Settingupalertsonthesearchinterface 40

SettingupalertsontheSearch>Content-BasedAlertspage 42

Formatofalertmessages 44

About us 45

Contactingus 45

SSB 5.3.0 User Guide 3

Technicalsupportresources 45

SSB 5.3.0 User Guide 4

Preface

Welcometothesyslog-ngStoreBox5.3.0UserGuide.

Thisdocumentdescribeshowtousethesyslog-ngStoreBox(SSB).Background

informationforthetechnologyandconceptsusedbytheproductarealsodiscussed.

Target audience and prerequisites

Thisguideisintendedforauditors,consultants,andsecurityexpertsresponsiblefor

auditing,monitoring,andtroubleshootingapplicationsandserveradministration

processes.ItisalsousefulforITdecisionmakerslookingforatooltoimprovethesecurity

andauditabilityoftheirservers,ortohelpcompliancewiththeSarbanes-Oxley(SOX),the

HealthInsurancePortabilityandAccountabilityAct(HIPAA),BaselII,orthePaymentCard

Industry(PCI)standard.

SSB 5.3.0 User Guide

Preface

Introduction

Thischapterintroducesthesyslog-ngStoreBox(SSB),discussinghowandwhyitisuseful,

andwhatbenefitsitofferstoanexistingITinfrastructure.

What SSB is

SSBisadevicethatcollects,processes,stores,monitors,andmanageslogmessages.Itis

acentrallogserverappliancethatcanreceivesystem(syslogandeventlog)logmessages

andSimpleNetworkManagementProtocol(SNMP)messagesfromyournetworkdevices

andcomputers,storetheminatrustedandsignedlogstore,automaticallyarchiveand

backupthemessages,andalsoclassifythemessagesusingartificialignorance.

ThemostnotablefeaturesofSSBareasfollows:

lSecurelogcollectionusingTransportLayerSecurity(TLS).

lTrusted,encrypted,andtimestampedstorage.

lAbilitytocollectlogmessagesfromawiderangeofplatforms,includingLinux,Unix,

BSD,SunSolaris,HP-UX,IBMAIX,IBMSystemi,aswellasMicrosoftWindows.

lForwardsmessagestologanalyzingengines.

lClassifiesmessagesusingcustomizablepatterndatabasesforreal-timelog

monitoring,alerting,andartificialignorance.

lHighAvailability(HA)supporttoensurecontinuouslogcollectioninbusiness-critical

environments.

lReal-timelogmonitoringandalerting.

lRetrievesgroupmembershipsoftheadministratorsandusersfromaLightweight

DirectoryAccessProtocol(LDAP)database.

lStrict,yeteasilycustomizableaccesscontroltograntusersaccessonlytoselected

logmessages.

lAbilitytosearchlogdatainmultiplelogspaces,whetheronthesameSSBapplicance

orlocatedonadifferentappliance,eveninaremotelocation.

SSBisconfiguredandmanagedfromanymodernwebbrowserthatsupportsHTTPS

connections,JavaScript,andcookies.

SSB 5.3.0 User Guide

Introduction

Supported browsers:

MozillaFirefox52ESR

WealsotestSSBonthefollowing,unsupportedbrowsers.ThefeaturesofSSBare

availableandusableonthesebrowsersaswell,butthelookandfeelmightbedifferent

fromthesupportedbrowsers.InternetExplorer11,MicrosoftEdge,andthecurrently

availableversionofMozillaFirefoxandGoogleChrome.

What SSB is not

SSBisnotaloganalyzingengine,thoughitcanclassifyindividuallogmessagesusing

artificialignorance.SSBcomeswithabuilt-infeaturetostorelogmessagepatternsthat

areconsidered"normal".Messagesmatchingthesepatternsareproducedduringthe

legitimateuseoftheapplications(forexamplesendmail,Postfix,MySQL,andsoon),and

areunimportantfromthelogmonitoringperspective,whiletheremainingmessagesmay

containsomething“interesting”.TheadministratorscandefinelogpatternsontheSSB

interface,labelmatchingmessages(forexample,securityevent,andsoon),andrequest

alertsifaspecificpatternisencountered.Forthoroughloganalysis,SSBcanalsoforward

theincominglogmessagestoexternalloganalyzingengines.

Why is SSB needed

Logmessagescontaininformationabouttheeventshappeningonthehosts.Monitoring

systemeventsisessentialforsecurityandsystemhealthmonitoringreasons.Awell-

establishedlogmanagementsolutionoffersseveralbenefitstoanorganization.Itensures

thatcomputersecurityrecordsarestoredinsufficientdetail,andprovidesasimplewayto

monitorandreviewtheselogs.Routinelogreviewsandcontinuousloganalysishelpto

identifysecurityincidents,policyviolations,orotheroperationalproblems.

Logsalsooftenformthebasisofauditingandforensicanalysis,producttroubleshooting

andsupport.Therearealsoseverallaws,regulationsandindustrialstandardsthat

explicitlyrequirethecentralcollection,periodicreview,andlong-timearchivingoflog

messages.ExamplesofsuchregulationsaretheSarbanes-OxleyAct(SOX),theBaselII

accord,theHealthInsurancePortabilityandAccountabilityAct(HIPAA),orthePayment

CardIndustryDataSecurityStandard(PCI-DSS).

Builtaroundthepopularsyslog-ngapplicationusedbythousandsoforganizations

worldwide,thesyslog-ngStoreBox(SSB)bringsyouapowerful,easy-to-configure

appliancetocollectandstoreyourlogs.Usingthefeaturesofthelatestsyslog-ngPremium

Editiontotheirfullpower,SSBallowsyoutocollect,process,andstorelogmessagesfrom

awiderangeofplatformsanddevices.

Alldatacanbestoredinencryptedandoptionallytimestampedfiles,preventingany

modificationormanipulation,satisfyingthehighestsecuritystandardsandpolicy

compliancerequirements.

SSB 5.3.0 User Guide

Introduction

Who uses SSB

SSBisusefulforeveryonewhohastocollect,store,andreviewlogmessages.In

particular,SSBisinvaluablefor:

lCentral log collection and archiving:SSBoffersasimple,reliable,andconvenient

wayofcollectinglogmessagescentrally.Itisessentiallyahigh-capacitylogserver

withhighavailabilitysupport.Beingabletocollectlogsfromseveraldifferent

platformsmakesiteasytointegrateintoanyenvironment.

lSecure log transfer and storage:Logmessagesoftencontainsensitiveinformation

andalsoformthebasisofaudittrailsforseveralapplications.Preventing

eavesdroppingduringmessagetransferandunauthorizedaccessoncethemessages

reachthelogserverisessentialforsecurityandprivacyreasons.

lPolicy compliance:Manyorganizationmustcomplywithregulationslikethe

Sarbanes-OxleyAct(SOX),theBaselIIaccord,theHealthInsurancePortabilityand

AccountabilityAct(HIPAA),orthePaymentCardIndustryDataSecurityStandard

(PCI-DSS).Theseregulationsoftenhaveexplicitorimplicitrequirementsaboutlog

management,suchasthecentralcollectionoflogmessages,theuseofloganalysis

topreventanddetectsecurityincidents,orguaranteeingtheavailabilityoflog

messagesforanextendedperiodoftime—uptoseveralyears.SSBhelpsthese

organizationstocomplywiththeseregulations.

lAutomated log monitoring and log pre-processing:Monitoringlogmessagesisan

essentialpartofsystem-healthmonitoringandsecurityincidentdetectionand

prevention.SSBoffersapowerfulplatformthatcanclassifytensofthousandsof

messagesreal-timetodetectmessagesthatdeviatefromregularmessages,and

promptlyraisealerts.Althoughthisclassificationdoesnotofferascompletean

inspectionasaloganalyzingapplication,SSBcanprocessmanymoremessages

thanaregularloganalyzingengine,andalsofilteroutunimportantmessagesto

decreasetheloadontheloganalyzingapplication.

SSB 5.3.0 User Guide

Introduction

SSB web interface

syslog-ngStoreBox(SSB)isconfiguredviathewebinterface.Configurationchangestake

effectautomaticallyafterclicking .Onlythemodificationsofthecurrentpageor

tabareactivated—eachpageandtabmustbecommittedseparately.

Supported web browsers

TheSSBwebinterfacecanbeaccessedonlyusingTLSencryptionandstrongcipher

algorithms.ThebrowsermustsupportHTTPSconnections,JavaScript,andcookies.Make

surethatbothJavaScriptandcookiesareenabled.

NOTE:

SSBdisplaysawarningmessageifyourbrowserisnotsupportedorJavaScriptis

disabled.

IfyouhavesuccessfullyaccessedtheSSBwebinterfaceusingHTTPSatleastonce,your

browserwillrememberthis,andonanysubsequentoccasions,itwillforceyoutoaccess

SSBusingHTTPS,evenifyoutryloadingitthroughanHTTPconnection.Thisisthanksto

theHTTPStrictTransportSecurity(HSTS)policy,whichenableswebserverstoenforce

webbrowserstorestrictcommunicationwiththeserveroveranencryptedSSL/TLS

connectionforasetperiod.WebserversdeclaretheHSTSpolicyusingaspecialStrict-

Transport-Securityresponseheaderfield.

Thismight,however,causeissuesinanyofthefollowingcases:

lWhentheSSLcertificateofSSB'swebinterfacehasexpired.Inthiscase,any

attempttoaccessthewebinterfaceusingasecureconnectionwillfailwithan

errormessage.

lWhenyouswitchthetrustedCA-signedcertificatetoaself-signedcertificatefor

SSB'swebinterface.AsperHSTSdesign,aself-signedcertificateisnottakento

havebeenissuedbyatrustedCA,thereforeanysecureconnectionstotheSSBweb

interfacewillfailwithanerrormessage.

Theresolutiontotheabove-mentionedissuesisto:

SSB 5.3.0 User Guide

SSB web interface

lRemovetheHSTSsettingsinyourbrowser.Thismustbedonelocally,ina

browser-specificway.Fordetailedinstructions,consultthesupportsiteofthe

browseryouareusing.

lUploadanewcertificate,usingadifferentbrowseronadifferentmachine.For

detailedinstructionsonhowtouploadexternalcertificatestoSSB,see"Uploading

externalcertificatestoSSB"intheAdministrationGuide.

Supported browsers:

MozillaFirefox52ESR

WealsotestSSBonthefollowing,unsupportedbrowsers.ThefeaturesofSSBare

availableandusableonthesebrowsersaswell,butthelookandfeelmightbedifferent

fromthesupportedbrowsers.InternetExplorer11,MicrosoftEdge,andthecurrently

availableversionofMozillaFirefoxandGoogleChrome.

SSB 5.3.0 User Guide

SSB web interface

Table of contents

Popular Storage manuals by other brands

IBM

IBM 40/80 GB HH DLTVS user guide

Synology

Synology DiskStation DS716+II Quick installation guide

Vantec

Vantec NexStar-HX4 user manual

LaCie

LaCie Christofle Galet datasheet

LaCie

LaCie Rugged Thunderbolt user manual

OCZ

OCZ IBIS datasheet

Transcend

Transcend JetFlash 110 Brochure & specs

QNAP

QNAP TS 32PXU Series user guide

LaCie

LaCie RUGGED RAID user manual

Freecom

Freecom CLS DOCK Quick install guide

PNY

PNY Attache P-FD64MBATT3 install guide

OWC

OWC Mercury Elite Pro Dual mini Assembly manual

OLT

OLT 6x6 Maximizer Assembly manual

Transcend

Transcend JetFlash 160 Specifications

Thunderbolt

Thunderbolt 600 user manual

Intel

Intel RAID High Availability user guide

LaCie

LaCie 12big Thunderbolt 3 Quick install guide

Spectra Logic

Spectra Logic T-Series Spectra T50e quick start guide

One Identity syslog-ng Store Box 5.3.0 User manual

Popular Storage manuals by other brands