One Identity syslog-ng Store Box 5.3.0, User Manual

Share

Page: 27 / 45

One Identity syslog-ng Store Box 5.3.0 User Manual Download Page 27

NOTE:

SSB only indexes the first 59 characters of every name-value pair (parameter). This
has two consequences:

l

If the parameter is longer than 59 characters, an exact search might deliver
multiple, imprecise results.

Consider the following example. If the parameter is:

.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

SSB indexes it only as:

.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-

This corresponds to the first 59 characters. As a result, searching for:

nvpair:.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-12345

returns all log messages that contain:

.sdata.security.uid=2011-12-08T12:32:25.024+01:00-hostname-

l

Using wildcards might lead to the omission of certain messages from the
search results.

Using the same example as above, searching for the value:

nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-12345

does not return any results (as the

12345

part was not indexed). Instead, you

have to search for:

nvpair:*=2011-12-08T12:32:25.024+01:00-hostname-*

This, as explained above, might find multiple results.

Search performance tips

To decrease the load on SSB when searching and receive your search results faster, note
the following points.

l

Use as small a time range as possible

l

Prefer AND instead of OR

l

Avoid unneeded wildcard characters, such as

*

and

?

l

Use wildcard characters at the end of the tokens if possible

Searching encrypted logspaces

By default, you cannot browse encrypted logstores from the SSB web interface, because
the required decryption keys are not available on SSB. To make browsing and searching
encrypted logstores possible, SSB provides the following options:

SSB 5.3.0 User Guide

Searching log messages

27

«
...
25
26
27
28
29
...
»

Summary of Contents for syslog-ng Store Box 5.3.0

Page 1: ...syslog ng Store Box 5 3 0 User Guide...

Page 2: ...OUT OF THE USE OR INABILITY TO USE THIS DOCUMENT EVEN IF ONE IDENTITY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES One Identity makes no representations or warranties with respect to the accur...

Page 3: ...lex search queries 20 Searching encrypted logspaces 27 Using persistent decryption keys 28 Using session only decryption keys 29 Creating reports from log data 31 Creating custom statistics from log d...

Page 4: ...Technical support resources 45 SSB 5 3 0 User Guide 4...

Page 5: ...tended for auditors consultants and security experts responsible for auditing monitoring and troubleshooting applications and server administration processes It is also useful for IT decision makers l...

Page 6: ...log messages from a wide range of platforms including Linux Unix BSD Sun Solaris HP UX IBM AIX IBM System i as well as Microsoft Windows l Forwards messages to log analyzing engines l Classifies mess...

Page 7: ...m health monitoring reasons A well established log management solution offers several benefits to an organization It ensures that computer security records are stored in sufficient detail and provides...

Page 8: ...and Accountability Act HIPAA or the Payment Card Industry Data Security Standard PCI DSS These regulations often have explicit or implicit requirements about log management such as the central collec...

Page 9: ...en if you try loading it through an HTTP connection This is thanks to the HTTP Strict Transport Security HSTS policy which enables web servers to enforce web browsers to restrict communication with th...

Page 10: ...load external certificates to SSB see Uploading external certificates to SSB in the Administration Guide Supported browsers Mozilla Firefox 52 ESR We also test SSB on the following unsupported browser...

Page 11: ...earch operators you can use l Searching encrypted logspaces on page 27 describes how to decrypt and browse encrypted logspaces Using the search interface SSB has a search interface for browsing the co...

Page 12: ...e case insensitive with the exception of operators like AND OR etc which must always be capitalized Click the icon or see Using complex search queries for more details When searching log messages the...

Page 13: ...5 024 01 00 hostname l Using wildcards might lead to the omission of certain messages from the search results Using the same example as above searching for the value nvpair 2011 12 08T12 32 25 024 01...

Page 14: ...ning messages l The number of search results returned by a search query Figure 3 Search Logspaces Action bar Link to a search query On clicking the Bookmark links panel is displayed Figure 4 Search Lo...

Page 15: ...nload CSV export to export large amounts of data as exporting data can be very slow especially if the system is under heavy load If you regularly need a large portion of your data in plain text format...

Page 16: ...can clear notifications one by one by clicking next to the them or clear all of them by clicking Search results After running a search query the action bar displays the number of search results retur...

Page 17: ...evious or the next log message with the mouse wheel If the displayed log message consists of several pages of data you can configure the mouse wheel to be able to use it for scrolling the message vert...

Page 18: ...isplayed columns All other available parameters are listed under Available static columns and Available dynamic columns Dynamic columns are created from structured data parameters name value pairs in...

Page 19: ...lumn including the log messages enable Show full content of columns Metadata collected about log messages The following information is available about the log messages l Processed Timestamp The date w...

Page 20: ...istration Guide NOTE It is not possible to search for the whitespace character in the MESSAGE part of the log message since it is a hard coded delimiter character The following sections provide exampl...

Page 21: ...can also be constructed with parentheses Example Combining keywords in search Search expression keyword1 AND keyword2 Matches returns log messages that contain both keywords Search expres sion keywor...

Page 22: ...in search The question mark wildcard means exactly one arbitrary character Note that it does not work when trying to find non UTF 8 or multibyte characters If you want to search for these characters t...

Page 23: ...Wildcard characters also work in any message part for example program postfix Search expression example Matches example examples example com Does not match query by example example Search expression...

Page 24: ...with a backslash Any character after a backslash is handled as a character to be searched for NOTE Delimiter characters are an exception to the rule It is not possible to search for delimiter characte...

Page 25: ...ng application Searching the name value pairs of the message You can search the structured data part of log messages using the nvpair prefix Use the delimiter to separate the name and the value of st...

Page 26: ...ic name add the character after the name Search expression nvpair event_type Matches All log messages where an event_type name exists Example Searching for parameter values To search for a specific va...

Page 27: ...esults Using the same example as above searching for the value nvpair 2011 12 08T12 32 25 024 01 00 hostname 12345 does not return any results as the 12345 part was not indexed Instead you have to sea...

Page 28: ...e stored on SSB but they are only made available for this user account and can also be protected encrypted with a passphrase To use persistent decryption keys 1 Select User menu Private keystore A pop...

Page 29: ...Click Apply Using session only decryption keys You can upload decryption keys to browse encrypted logspaces for the duration of the session only These keys are automatically deleted when you log out...

Page 30: ...r upload the certificate used to encrypt the logstore 4 Select Key A pop up window is displayed 5 Paste or upload the private key of the certificate used to encrypt the logstore 6 Repeat Steps 2 5 to...

Page 31: ...eating custom statistics from log data SSB can create statistics from the Facility Priority Program Pid Host Tags and classifier class columns Use Customize columns to add the required column if neces...

Page 32: ...mber logspaces In this case SSB displays the Number of member statistics has too many entries error message Figure 13 Search Logspaces Displaying log statistics as Bar chart In Pie chart List view per...

Page 33: ...played in the Count part of the Host pie chart To avoid this do not navigate to the future If this has already happened save the search expression that you have used somewhere and then refresh the pag...

Page 34: ...al tools for details see Accessing log files across the network in the Administration Guide Creating reports from custom statistics You can save log statistics to include them in reports as a subchapt...

Page 35: ...the member logspaces In this case SSB displays the Number of member statistics has too many entries error message 6 Select the user group that can access the subchapter in the Grant access for the fol...

Page 36: ...The reports created from custom statistics are listed at the end 5 Use the arrows to change the order of the subchapters if needed 6 To specify how often SSB should create the report select the relev...

Page 37: ...ect Recipient Custom address and enter the email address where the reports should be sent Click to list multiple email addresses if needed 9 Click Browsing reports The generated reports are available...

Page 38: ...te a report for the current day select Generate reports for today The report will contain data for the 00 00 current time interval If artificial ignorance for details see Classifying messages with pat...

Page 39: ...ss to the Search Logs object on the AAA Access Control page l Or the user group has been added under the Access control option of the relevant logspace on the Log Logspaces page There are two ways to...

Page 40: ...record an alert target Figure 18 Policies Alert targets Alert targets page c Enter a name for your alert target NOTE Alert target names must be unique d In the Target email address field enter the em...

Page 41: ...onfiguring an email address from where you wish to receive emails can be useful for filtering purposes If you do not specify such an email address a default one will be used For detailed instructions...

Page 42: ...a prefix before alert names can help avoid specifying a name that is already in use 8 Select a target from Targets You can select multiple targets if you wish to distribute the alert to multiple email...

Page 43: ...ick The new tab that opens allows you to specify a content based alert Figure 21 Search Content Based Alerts Setting up content based alerts on the Search 5 Enter a name for your alert NOTE Alert name...

Page 44: ...on logspace mylogspace alert myalert search expression mysearchexpression To review these matches on your SSB appliance see https IP_address_of_SSB port_number index php _backend SearchLogspace logsp...

Page 45: ...One Identity customers with a valid maintenance contract and customers who have trial versions You can access the Support Portal at https support oneidentity com The Support Portal provides self help...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands