One identity Syslog-ng store box 5.3.0 User manual



syslog-ngStoreBox5.3.0

UserGuide

Thisguidecontainsproprietaryinformationprotectedbycopyright.Thesoftwaredescribedinthisguide

isfurnishedunderasoftwarelicenseornondisclosureagreement.Thissoftwaremaybeusedorcopied

onlyinaccordancewiththetermsoftheapplicableagreement.Nopartofthisguidemaybereproduced

ortransmittedinanyformorbyanymeans,electronicormechanical,includingphotocopyingand

recordingforanypurposeotherthanthepurchaser’spersonalusewithoutthewrittenpermissionof

OneIdentityLLC.

TheinformationinthisdocumentisprovidedinconnectionwithOneIdentityproducts.Nolicense,

expressorimplied,byestoppelorotherwise,toanyintellectualpropertyrightisgrantedbythis

documentorinconnectionwiththesaleofOneIdentityLLCproducts.EXCEPTASSETFORTHINTHE

TERMSANDCONDITIONSASSPECIFIEDINTHELICENSEAGREEMENTFORTHISPRODUCT,

ONEIDENTITYASSUMESNOLIABILITYWHATSOEVERANDDISCLAIMSANYEXPRESS,IMPLIEDOR

STATUTORYWARRANTYRELATINGTOITSPRODUCTSINCLUDING,BUTNOTLIMITEDTO,THE

IMPLIEDWARRANTYOFMERCHANTABILITY,FITNESSFORAPARTICULARPURPOSE,ORNON-

INFRINGEMENT.INNOEVENTSHALLONEIDENTITYBELIABLEFORANYDIRECT,INDIRECT,

CONSEQUENTIAL,PUNITIVE,SPECIALORINCIDENTALDAMAGES(INCLUDING,WITHOUT

LIMITATION,DAMAGESFORLOSSOFPROFITS,BUSINESSINTERRUPTIONORLOSSOF

INFORMATION)ARISINGOUTOFTHEUSEORINABILITYTOUSETHISDOCUMENT,EVENIF

ONEIDENTITYHASBEENADVISEDOFTHEPOSSIBILITYOFSUCHDAMAGES.OneIdentitymakesno

representationsorwarrantieswithrespecttotheaccuracyorcompletenessofthecontentsofthis

documentandreservestherighttomakechangestospecificationsandproductdescriptionsatany

timewithoutnotice.OneIdentitydoesnotmakeanycommitmenttoupdatetheinformation

containedinthisdocument.

Ifyouhaveanyquestionsregardingyourpotentialuseofthismaterial,contact:

OneIdentityLLC.

Attn:LEGALDept

4PolarisWay

AlisoViejo,CA92656

RefertoourWebsite(http://www.OneIdentity.com)forregionalandinternationalofficeinformation.

Patents

OneIdentityisproudofouradvancedtechnology.Patentsandpendingpatentsmayapplytothis

product.Forthemostcurrentinformationaboutapplicablepatentsforthisproduct,pleasevisitour

websiteathttp://www.OneIdentity.com/legal/patents.aspx.

Trademarks

OneIdentityandtheOneIdentitylogoaretrademarksandregisteredtrademarksofOneIdentity

LLC.intheU.S.A.andothercountries.ForacompletelistofOneIdentitytrademarks,pleasevisit

ourwebsiteatwww.OneIdentity.com/legal.Allothertrademarksarethepropertyoftheir

respectiveowners.

Legend

WARNING: A WARNING icon indicates a potential for property damage, personal

injury, or death.

CAUTION: A CAUTION icon indicates potential damage to hardware or loss of data if

instructions are not followed.

IMPORTANT,NOTE,TIP,MOBILE,orVIDEO:Aninformationiconindicatessupporting

information.

SSBUserGuide

Updated-April2019

Version-5.3.0

Contents

Preface 5

Targetaudienceandprerequisites 5

Introduction 6

WhatSSBis 6

WhatSSBisnot 7

WhyisSSBneeded 7

WhousesSSB 8

SSB web interface 9

Supportedwebbrowsers 9

Searching log messages 11

Usingthesearchinterface 11

Customizingcolumnsofthelogmessagesearchinterface 18

Metadatacollectedaboutlogmessages 19

Usingcomplexsearchqueries 20

Searchingencryptedlogspaces 27

Usingpersistentdecryptionkeys 28

Usingsession-onlydecryptionkeys 29

Creating reports from log data 31

Creatingcustomstatisticsfromlogdata 31

Displayinglogstatistics 31

Creatingreportsfromcustomstatistics 34

Configuringcustomreports 35

Browsingreports 37

Creating content-based alerts 39

Settingupalertsonthesearchinterface 40

SettingupalertsontheSearch>Content-BasedAlertspage 42

Formatofalertmessages 44

About us 45

Contactingus 45

SSB 5.3.0 User Guide 3

Technicalsupportresources 45

SSB 5.3.0 User Guide 4

Preface

Welcometothesyslog-ngStoreBox5.3.0UserGuide.

Thisdocumentdescribeshowtousethesyslog-ngStoreBox(SSB).Background

informationforthetechnologyandconceptsusedbytheproductarealsodiscussed.

Target audience and prerequisites

Thisguideisintendedforauditors,consultants,andsecurityexpertsresponsiblefor

auditing,monitoring,andtroubleshootingapplicationsandserveradministration

processes.ItisalsousefulforITdecisionmakerslookingforatooltoimprovethesecurity

andauditabilityoftheirservers,ortohelpcompliancewiththeSarbanes-Oxley(SOX),the

HealthInsurancePortabilityandAccountabilityAct(HIPAA),BaselII,orthePaymentCard

Industry(PCI)standard.

SSB 5.3.0 User Guide

Preface

Introduction

Thischapterintroducesthesyslog-ngStoreBox(SSB),discussinghowandwhyitisuseful,

andwhatbenefitsitofferstoanexistingITinfrastructure.

What SSB is

SSBisadevicethatcollects,processes,stores,monitors,andmanageslogmessages.Itis

acentrallogserverappliancethatcanreceivesystem(syslogandeventlog)logmessages

andSimpleNetworkManagementProtocol(SNMP)messagesfromyournetworkdevices

andcomputers,storetheminatrustedandsignedlogstore,automaticallyarchiveand

backupthemessages,andalsoclassifythemessagesusingartificialignorance.

ThemostnotablefeaturesofSSBareasfollows:

lSecurelogcollectionusingTransportLayerSecurity(TLS).

lTrusted,encrypted,andtimestampedstorage.

lAbilitytocollectlogmessagesfromawiderangeofplatforms,includingLinux,Unix,

BSD,SunSolaris,HP-UX,IBMAIX,IBMSystemi,aswellasMicrosoftWindows.

lForwardsmessagestologanalyzingengines.

lClassifiesmessagesusingcustomizablepatterndatabasesforreal-timelog

monitoring,alerting,andartificialignorance.

lHighAvailability(HA)supporttoensurecontinuouslogcollectioninbusiness-critical

environments.

lReal-timelogmonitoringandalerting.

lRetrievesgroupmembershipsoftheadministratorsandusersfromaLightweight

DirectoryAccessProtocol(LDAP)database.

lStrict,yeteasilycustomizableaccesscontroltograntusersaccessonlytoselected

logmessages.

lAbilitytosearchlogdatainmultiplelogspaces,whetheronthesameSSBapplicance

orlocatedonadifferentappliance,eveninaremotelocation.

SSBisconfiguredandmanagedfromanymodernwebbrowserthatsupportsHTTPS

connections,JavaScript,andcookies.

SSB 5.3.0 User Guide

Introduction

Supported browsers:

MozillaFirefox52ESR

WealsotestSSBonthefollowing,unsupportedbrowsers.ThefeaturesofSSBare

availableandusableonthesebrowsersaswell,butthelookandfeelmightbedifferent

fromthesupportedbrowsers.InternetExplorer11,MicrosoftEdge,andthecurrently

availableversionofMozillaFirefoxandGoogleChrome.

What SSB is not

SSBisnotaloganalyzingengine,thoughitcanclassifyindividuallogmessagesusing

artificialignorance.SSBcomeswithabuilt-infeaturetostorelogmessagepatternsthat

areconsidered"normal".Messagesmatchingthesepatternsareproducedduringthe

legitimateuseoftheapplications(forexamplesendmail,Postfix,MySQL,andsoon),and

areunimportantfromthelogmonitoringperspective,whiletheremainingmessagesmay

containsomething“interesting”.TheadministratorscandefinelogpatternsontheSSB

interface,labelmatchingmessages(forexample,securityevent,andsoon),andrequest

alertsifaspecificpatternisencountered.Forthoroughloganalysis,SSBcanalsoforward

theincominglogmessagestoexternalloganalyzingengines.

Why is SSB needed

Logmessagescontaininformationabouttheeventshappeningonthehosts.Monitoring

systemeventsisessentialforsecurityandsystemhealthmonitoringreasons.Awell-

establishedlogmanagementsolutionoffersseveralbenefitstoanorganization.Itensures

thatcomputersecurityrecordsarestoredinsufficientdetail,andprovidesasimplewayto

monitorandreviewtheselogs.Routinelogreviewsandcontinuousloganalysishelpto

identifysecurityincidents,policyviolations,orotheroperationalproblems.

Logsalsooftenformthebasisofauditingandforensicanalysis,producttroubleshooting

andsupport.Therearealsoseverallaws,regulationsandindustrialstandardsthat

explicitlyrequirethecentralcollection,periodicreview,andlong-timearchivingoflog

messages.ExamplesofsuchregulationsaretheSarbanes-OxleyAct(SOX),theBaselII

accord,theHealthInsurancePortabilityandAccountabilityAct(HIPAA),orthePayment

CardIndustryDataSecurityStandard(PCI-DSS).

Builtaroundthepopularsyslog-ngapplicationusedbythousandsoforganizations

worldwide,thesyslog-ngStoreBox(SSB)bringsyouapowerful,easy-to-configure

appliancetocollectandstoreyourlogs.Usingthefeaturesofthelatestsyslog-ngPremium

Editiontotheirfullpower,SSBallowsyoutocollect,process,andstorelogmessagesfrom

awiderangeofplatformsanddevices.

Alldatacanbestoredinencryptedandoptionallytimestampedfiles,preventingany

modificationormanipulation,satisfyingthehighestsecuritystandardsandpolicy

compliancerequirements.

SSB 5.3.0 User Guide

Introduction

Who uses SSB

SSBisusefulforeveryonewhohastocollect,store,andreviewlogmessages.In

particular,SSBisinvaluablefor:

lCentral log collection and archiving:SSBoffersasimple,reliable,andconvenient

wayofcollectinglogmessagescentrally.Itisessentiallyahigh-capacitylogserver

withhighavailabilitysupport.Beingabletocollectlogsfromseveraldifferent

platformsmakesiteasytointegrateintoanyenvironment.

lSecure log transfer and storage:Logmessagesoftencontainsensitiveinformation

andalsoformthebasisofaudittrailsforseveralapplications.Preventing

eavesdroppingduringmessagetransferandunauthorizedaccessoncethemessages

reachthelogserverisessentialforsecurityandprivacyreasons.

lPolicy compliance:Manyorganizationmustcomplywithregulationslikethe

Sarbanes-OxleyAct(SOX),theBaselIIaccord,theHealthInsurancePortabilityand

AccountabilityAct(HIPAA),orthePaymentCardIndustryDataSecurityStandard

(PCI-DSS).Theseregulationsoftenhaveexplicitorimplicitrequirementsaboutlog

management,suchasthecentralcollectionoflogmessages,theuseofloganalysis

topreventanddetectsecurityincidents,orguaranteeingtheavailabilityoflog

messagesforanextendedperiodoftime—uptoseveralyears.SSBhelpsthese

organizationstocomplywiththeseregulations.

lAutomated log monitoring and log pre-processing:Monitoringlogmessagesisan

essentialpartofsystem-healthmonitoringandsecurityincidentdetectionand

prevention.SSBoffersapowerfulplatformthatcanclassifytensofthousandsof

messagesreal-timetodetectmessagesthatdeviatefromregularmessages,and

promptlyraisealerts.Althoughthisclassificationdoesnotofferascompletean

inspectionasaloganalyzingapplication,SSBcanprocessmanymoremessages

thanaregularloganalyzingengine,andalsofilteroutunimportantmessagesto

decreasetheloadontheloganalyzingapplication.

SSB 5.3.0 User Guide

Introduction

SSB web interface

syslog-ngStoreBox(SSB)isconfiguredviathewebinterface.Configurationchangestake

effectautomaticallyafterclicking .Onlythemodificationsofthecurrentpageor

tabareactivated—eachpageandtabmustbecommittedseparately.

Supported web browsers

TheSSBwebinterfacecanbeaccessedonlyusingTLSencryptionandstrongcipher

algorithms.ThebrowsermustsupportHTTPSconnections,JavaScript,andcookies.Make

surethatbothJavaScriptandcookiesareenabled.

NOTE:

SSBdisplaysawarningmessageifyourbrowserisnotsupportedorJavaScriptis

disabled.

IfyouhavesuccessfullyaccessedtheSSBwebinterfaceusingHTTPSatleastonce,your

browserwillrememberthis,andonanysubsequentoccasions,itwillforceyoutoaccess

SSBusingHTTPS,evenifyoutryloadingitthroughanHTTPconnection.Thisisthanksto

theHTTPStrictTransportSecurity(HSTS)policy,whichenableswebserverstoenforce

webbrowserstorestrictcommunicationwiththeserveroveranencryptedSSL/TLS

connectionforasetperiod.WebserversdeclaretheHSTSpolicyusingaspecialStrict-

Transport-Securityresponseheaderfield.

Thismight,however,causeissuesinanyofthefollowingcases:

lWhentheSSLcertificateofSSB'swebinterfacehasexpired.Inthiscase,any

attempttoaccessthewebinterfaceusingasecureconnectionwillfailwithan

errormessage.

lWhenyouswitchthetrustedCA-signedcertificatetoaself-signedcertificatefor

SSB'swebinterface.AsperHSTSdesign,aself-signedcertificateisnottakento

havebeenissuedbyatrustedCA,thereforeanysecureconnectionstotheSSBweb

interfacewillfailwithanerrormessage.

Theresolutiontotheabove-mentionedissuesisto:

SSB 5.3.0 User Guide

SSB web interface

lRemovetheHSTSsettingsinyourbrowser.Thismustbedonelocally,ina

browser-specificway.Fordetailedinstructions,consultthesupportsiteofthe

browseryouareusing.

lUploadanewcertificate,usingadifferentbrowseronadifferentmachine.For

detailedinstructionsonhowtouploadexternalcertificatestoSSB,see"Uploading

externalcertificatestoSSB"intheAdministrationGuide.

Supported browsers:

MozillaFirefox52ESR

WealsotestSSBonthefollowing,unsupportedbrowsers.ThefeaturesofSSBare

availableandusableonthesebrowsersaswell,butthelookandfeelmightbedifferent

fromthesupportedbrowsers.InternetExplorer11,MicrosoftEdge,andthecurrently

availableversionofMozillaFirefoxandGoogleChrome.

SSB 5.3.0 User Guide

SSB web interface

Searching log messages

ThissectiondescribeshowtobrowsethelogmessagescollectedonSSB.

lUsingthesearchinterfaceonpage11explainshowtouseandcustomizethesearch

interface,describesthelogmessagedatathatisavailableonSSB,andprovides

examplesofthethewildcardandbooleansearchoperatorsyoucanuse.

lSearchingencryptedlogspacesonpage27describeshowtodecryptandbrowse

encryptedlogspaces.

Using the search interface

SSBhasasearchinterfaceforbrowsingthecollectedlogmessages.Youcanchoosethe

logspace,enterasearchexpression,specifythetimeframe,andbrowsetheresultshere.

Thissectionwalksyouthroughthemainpartsofthesearchinterface.

Toaccessthesearchinterface,navigatetoSearch > Logspaces.

SSB 5.3.0 User Guide

Searching log messages

Figure 1: Search > Logspaces — The log message search interface

Logspaces:

Tochoosetheappropriatelogspace,usetheLogspace namemenu.Notethatyoucannot

accessplaintextlogspacesontheSSBsearchinterface.

Formoreinformationontheavailablelogspaces,andhowtoconfigurethem,see"Storing

messagesonSSB"intheAdministrationGuide.

Search:

Onthelogmessagesearchinterface,youcanusetheSearch expressionfieldtosearch

thefulllistoflogmessages.Searchexpressionsarecaseinsensitive,withtheexceptionof

operators(likeAND,OR,etc.),whichmustalwaysbecapitalized.Clickthe icon,orsee

Usingcomplexsearchqueriesformoredetails.

Whensearchinglogmessages,thecapabilitiesofthesearchenginedependonthe

delimitersusedtoindextheparticularlogspace.Fordetailsonhowtoconfigurethe

delimitersusedforindexing,see"Creatinglogstores"intheAdministrationGuide.

NOTE:

Youcansearchinindexedlogspaceseveniflogtrafficisdisabled.

Youcancreatecomplexsearchesusingwildcardsandbooleanexpressions.Formore

informationandpracticalexamples,seeUsingcomplexsearchqueries.

SSB 5.3.0 User Guide

Searching log messages

NOTE:

SSBonlyindexesthefirst59charactersofeveryname-valuepair(parameter).This

hastwoconsequences:

lIftheparameterislongerthan59characters,anexactsearchmightdeliver

multiple,impreciseresults.

Considerthefollowingexample.Iftheparameteris:

.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

SSBindexesitonlyas:

.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-

Thiscorrespondstothefirst59characters.Asaresult,searchingfor:

nvpair:.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

returnsalllogmessagesthatcontain:

.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-

lUsingwildcardsmightleadtotheomissionofcertainmessagesfromthe

searchresults.

Usingthesameexampleasabove,searchingforthevalue:

nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-12345

doesnotreturnanyresults(asthe12345partwasnotindexed).Instead,you

havetosearchfor:

nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-*

This,asexplainedabove,mightfindmultipleresults.

Overview:

Displaysthenumberoflogmessagesintheselectedtimeinterval.

Figure 2: Search > Logspaces — Log message overview

Usethe and iconstozoom,andthearrowstodisplaythepreviousorthenext

intervals.Tochangethetimeframe,youcan:

lChangethebeginningandtheenddate.

lClickanddragthepointeracrossaperiodonthecalendarbarstoselectaspecific

SSB 5.3.0 User Guide

Searching log messages

intervalandzoomin.

lUse the Jump to last option to select the last 15 minutes, hour, 6 hours,

day, or week.

Hoveringthemouseaboveabardisplaysthenumberofresults,andthestartandenddate

oftheperiodthatthebarrepresents.Clickabartodisplaytheresultsofthatperiodinthe

table.UseShift+Clicktoselectmultiplebars.

Action bar:

Thesearchinterfaceprovidesanactionbarthatallowsyouto:

lFetchalinktoasearchquery.

lExportsearchresultsintoacsvfile.

lCreateacontent-basedalert.

Italsodisplaysthefollowinginformation:

lErrorandwarningmessages.

lThenumberofsearchresultsreturnedbyasearchquery.

Figure 3: Search > Logspaces: Action bar

Link to a search query:

Onclicking ,theBookmark linkspanelisdisplayed:

Figure 4: Search > Logspaces — Bookmark links panel

Bookmarklinksallowyoutofetchalinktoasearchquerysothatyoucan:

lShareyoursearchquerieswithcolleagues,whocanthenaccesstherelevantsearch

resultsinoneclick.

lSavefrequentlyusedsearchqueriesasbookmarklinks.

ThelinkintheCurrent viewfieldprovidesadirectlinktoyoursearchqueryandits

resultscurrentlydisplayedonyourscreen.Wheneveryouopenthebookmarkedlinkfrom

yourbrowser,itwillalwaysreturnthesame,fixedsetofresults.Thestartandenddate

SSB 5.3.0 User Guide

Searching log messages

thatyousetwhenexecutingthesearchqueryandfetchingthelinkfromtheBookmark

linkspanelremainfixed.

TheLastmenu,ontheotherhand,allowsyoutospecifyanintervaloftime,forexample,

thelast15minutesorthelasthour,andfetchsearchresultsgeneratedwithinthatperiod.

Thesearchresultsthatyouaccessusingthislinkmaydifferontwodifferentoccasionsas

thestartpointofthespecifiedintervalisalwaysthemomentyouopenthebookmarked

linkfromyourbrowser.

CSV export:

Onclicking ,theCSV exportpanelisdisplayed:

Figure 5: Search > Logspaces — CSV export panel

Clicking exportsyoursearchresultsintoaCSVfile.Thissavesthe

tableasatextfilecontainingcomma-separatedvalues.Notethatifanerroroccurswhen

exportingthedata,theexportedCSVfilewillincludealine(usuallyasthelastlineofthe

file)startingwithazeroandthedetailsoftheproblem,forexample,0<description_of_

the_error>.

CAUTION:

Do not use Download CSV export to export large amounts of data, as

exporting data can be very slow, especially if the system is under heavy

load. If you regularly need a large portion of your data in plain text

format, consider using the SSB RPC API (for details, see "The SSB RPC

API" in the Administration Guide), or sharing the log files on the network

and processing them with external tools (for details, see "Accessing log

files across the network" in the Administration Guide).

Alert:

Thealertfunctionalityenablesyoutosetupcontent-basedalertsforsearchexpressionsof

yourchoice.Youwillreceiveanalertwhenamatchisfoundbetweenthesearchexpression

andthecontentsofalogmessage.Notethatthealertsaregeneratedforonlythoselog

messagesthatarestoredinthelogspace(s)forwhichyousetupthealert.

Fordetailedinformationoncontent-basedalerts,see"Creatingcontent-basedalerts"inthe

AdministrationGuide.

Errors and warnings:

Whenanyuseractionresultsinanerrorcondition(forexample,ifyouenteraninvalid

searchexpression,displaystatisticsforacolumnthathasnotbeenindexed),anerroror

SSB 5.3.0 User Guide

Searching log messages

warningnotificationwillbedisplayedontheactionbar.Errorsareshowninredletters,

warningsaredisplayedinamber.

Ifthereismorethanonenotification,thelatestwillbedisplayedandthenumberof

notificationstriggeredwillalsobeindicated.ClickingthenotificationwillopenanErrors

and warningspanel:

Figure 6: Search > Logspaces — Errors and warnings panel

TheErrors and warningspaneldisplaysalistoferrors/warningswiththeirtimestamp

anddetailsoftheircause.

Youcanclearnotificationsonebyonebyclicking nexttothethem,orclearallofthem

byclicking .

Search results:

Afterrunningasearchquery,theactionbardisplaysthenumberofsearchresultsreturned

bythequery.Thisisusefulinformationwhenyouaretryingtofindouthowoftenacertain

elementappearsinthelogs.

List of log messages:

UsethearrowkeysandthePage UpandPage Downkeystonavigatethelistedlog

messages,orusethemousewheeltoscroll.Youcandisablemousewheelscrollinginyour

User menu > Preferences.Ifdataistoolongtofitononeline,itisautomatically

wrappedandonlythefirstlineisdisplayed.

SSB 5.3.0 User Guide

Searching log messages

Figure 7: Search > Logspaces — List of log messages

Details of a log message:

To expand a row in the list of log messages, click . The complete log message is

displayed:

Figure 8: Search > Logspaces — Viewing a single log message

Usethearrowkeystojumptothepreviousorthenextlogmessage.

UsethePage UpandPage Downtojumptothe10thlogmessagebeforeorafterthecurrently

displayedlogmessage.Youcanalsojumptothepreviousorthenextlogmessagewiththe

mousewheel.

Ifthedisplayedlogmessageconsistsofseveralpagesofdata,youcanconfigurethe

mousewheeltobeabletouseitforscrollingthemessagevertically.Todothis,navigate

toUser menu > Preferences,deselectMousewheel scrolling of search resultsand

clickSet options.Thiswilldisablejumpingbetweenlogmessageswiththemousewheel.

Youcanperformthefollowingactions:

lClickanywordinthemessagetocopyittotheSearchfield.

lClickanyofthedynamiccolumns(name-valuepairs)toadditasacolumntothelist

SSB 5.3.0 User Guide

Searching log messages

oflogmessages.

lClickanyofthe iconstoviewthestatisticsoftheselectedcategory.

Toreturntothelistofalllogmessages,click .

Customizing columns of the log message

search interface

The following describes how to customize the data displayed on the log message

search interface.

To customize the data displayed on the log message search interface

1. ClickCustomize columns.

Theparametersusedforthecolumnswhendisplayinglogmessagesarelistedunder

Displayed columns.AllotheravailableparametersarelistedunderAvailable

static columnsandAvailable dynamic columns.

Dynamiccolumnsarecreatedfromstructureddataparameters(name-valuepairs)

inlogmessagesstoredonSSB.Structureddataparametersaredetectedandadded

tothelistofcustomizablecolumnsautomatically.(Formoreinformationonthe

structureddatapartoflogmessages,see"TheSTRUCTURED-DATAmessagepart"in

theAdministrationGuide.)

NOTE:

ToexportthesearchresultsintoaCSVfile,click ontheactionbar.Note

thattheCSVfileincludesallthestaticcolumnsandthedisplayeddynamic

columns.

SSB 5.3.0 User Guide

Searching log messages

Figure 9: Search > Logspaces > Customize columns — Customizing

columns of the log message search interface

2. ToaddastaticcolumntotheDisplayed columns,click .

3. ToaddadynamiccolumntotheDisplayed columns,chooseaname-valuepair

fromAvailable dynamic columnsandclick .

Theselectednamegeneratesanew,separatedynamiccolumnwitha<name>

heading(where<name>isthenameofthekey).Therelevantvaluesaredisplayed

inthecellsoftherespectivecolumn.

4. ToremoveparametersfromtheVisible columns,click .

5. Todisplaythefullcontentofeachcolumn(includingthelogmessages),enableShow

full content of columns.

Metadata collected about log messages

Thefollowinginformationisavailableaboutthelogmessages:

lProcessed Timestamp:ThedatewhenSSBreceivedthelogmessageinYEAR-MONTH-

DAY HOUR:MINUTE:SECONDformat.

lTimestamp:Thetimestampreceivedinthemessage—thetimewhenthelog

messagewascreatedinYEAR-MONTH-DAY HOUR:MINUTE:SECONDformat.

lFacility:Thefacilitythatsentthemessage.

lPriority:Thepriorityvalueofthemessage.

lProgram:Theapplicationthatcreatedthemessage.

lPid:Theprogramidentifieroftheapplicationthatcreatedthemessage.

lHost:TheIPaddressorhostnameoftheclientthatsentthemessagetoSSB.

SSB 5.3.0 User Guide

Searching log messages

lMessage:Thetextofthelogmessage.

lTag:Tagsassignedtothemessagematchingcertainpatterndatabaserules.

lId:UniqueIDofthemessage.

lclassifier.rule_id:IDofthepatterndatabaserulethatmatchedthemessage.

lclassifier.class:Descriptionofthepatterndatabaserulethatmatchedthemessage.

lDynamic columns, created from additional name-value pairs, might also be

available.

Using complex search queries

Youcanusewildcardsandbooleanexpressions,andsearchspecificpartsofthelog

messagescollectedonSSB.

NOTE:

Whensearchinglogmessages,thecapabilitiesofthesearchenginedependonthe

delimitersusedtoindextheparticularlogspace.Bydefault,theindexerusesthe

followingdelimitercharacterstoseparatethemessageintowords(tokens):& : ~ ?

! [ ] = , ; ( ) ' ".Fordetailsonhowtoconfigurethedelimitersusedforindexing,

see"Creatinglogstores"intheAdministrationGuide.

NOTE:

Itisnotpossibletosearchforthewhitespace( )characterintheMESSAGEpartof

thelogmessage,sinceitisahard-codeddelimitercharacter.

Thefollowingsectionsprovideexamplesfordifferentsearchqueries:

lForexamplesofexactmatches,seeSearchingforexactmatchesandusingcomplex

queriesonpage20.

lForexamplesofusingbooleanoperatorstocombinesearchkeywords,see

Combiningsearchkeywordsonpage21.

lForexamplesofwildcardsearches,seeUsingwildcardsearchesonpage22.

lForexamplesofsearchingforspecialcharacters,seeSearchingforspecial

charactersonpage24.

lForexamplesofsearchinginaspecificpartofthemessage,seeSearchingina

specificpartofthemessageonpage25.

lForexamplesofsearchingname-valuepairs,seeSearchingthename-valuepairsof

themessageonpage25.

Searching for exact matches and using complex queries

Bydefault,SSBsearchesforkeywordsaswholewordsintheMESSAGEpartofthelog

messageandreturnsonlyexactmatches.

SSB 5.3.0 User Guide

Searching log messages

Table of contents

Popular Storage manuals by other brands

Xycom

Xycom XVME-979 manual

Freecom

Freecom TOUGH DRIVE PINK Specifications

MSW

MSW MSW-STSH-19 user manual

Dell

Dell PowerVault MD3060e Series Getting started guide

Seagate

Seagate ST2400MM0129 product manual

HP StorageWorks AF204A Quickspecs

Crafstman

Crafstman CMXMSAJ94995 instruction manual

Dell

Dell PowerVault 132T LTO Handbook

HP Alletra 4120 Product End-of-Life Disassembly Instructions

Dot Hill Systems

Dot Hill Systems AssuredSAN 6004 Cli reference guide

ACP-EP Memory

ACP-EP Memory ACP-EP Product sheet

IBM

IBM Cloud Object Storage System Slicestor 2212... Appliance Manual

Hallowell

Hallowell 400 Series Assembly Instructions/Parts Manual

Cavalry

Cavalry CAUPT25160 user manual

Hama

Hama Vilitas FlashPen USB 3.0 Operating instruction

Fujitsu

Fujitsu Eternus DX80 S2 manual 

ioSafe

ioSafe SoloPRO eSATA/USB 2.0 user manual

Western Digital

Western Digital My Passport WDML2500 user manual

One Identity syslog-ng Store Box 5.3.0 User manual

Popular Storage manuals by other brands