syslog-ng Store Box

syslog-ng Store Box™ (SSB) is a high performance, high-reliability log management appliance that builds on the strengths of syslog-ng Premium Edition.

With SSB, you can collect and index log data, perform complex searches, secure sensitive information with granular access policies, generate reports to demonstrate compliance, and forward log data to 3rd party analysis tools.

Key features

Collect and index

The syslog-ng Store Box’s indexing engine is optimized for performance. Depending on its exact configuration, one syslog-ng Store Box can collect and index up to 100,000 messages per second for sustained periods. When deployed in a client-relay configuration, a single SSB can collect logs from tens of thousands of log sources.

Search and report

With full-text search, you can search through billions of logs in seconds via the web-based user interface. Wildcards and boolean operators allow you to perform complex searches and drill down on the results. Users can easily create customized reports from the charts and statistics they create on the search interface to demonstrate compliance with standards and regulations such as PCI-DSS, ISO 27001, SOX and HIPAA.

Store and forward

You can store large amounts of log data, create automated retention policies, and backup data to remote servers. The largest appliance can store up to 10 terabytes of uncompressed data. You can also forward logs to 3rd party analysis tools or fetch data from syslog-ng Store Box via its REST API.

Secure log data

Log data frequently contains sensitive information. SSB can store log data in encrypted, compressed, and time-stamped binary files restricting access to authorized personnel only. Authentication, Authorization and Accounting settings can restrict access to the SSB configuration and stored logs based on usergroup privileges and can be integrated with LDAP and Radius databases.

Additional Features

Parse key-value pairs

syslog-ng Store Box can separate a message consisting of whitespace or comma-separated key-value pairs (for example firewall logs) into name-value pairs.

Normalize with PatternDB

The syslog-ng application can compare the contents of the log messages to a database of predefined message patterns.

Real-time classification

By comparing log messages to known patterns, syslog-ng is able to identify the exact type of the messages and sort them into message classes. The message classes can be used to classify the type of event described in the log message. The message classes can be customized, and, for example, can label the messages as user login, application crash, file transfer, etc.

Message Rate Alerting

SSB can be configured to send alerts based on the number of messages being received from sources. Minimum and maximum log message thresholds for specified time periods can be set to monitor the log management infrastructure for any performance issues.

Parse sudo log messages

Privileged user accounts represent the highest security risk, as they allow access to the most sensitive data and resources. The sudo parser enables you to enrich your log message data with details of privilege escalation events.

Extract important information

In addition to classifying messages, you can also add different tags which can be used later for filtering messages, for example, to collect messages tagged as user_login to a separate file or to perform conditional post-processing on the tagged messages.

Real-time event correlation

syslog-ng also makes real-time event correlation possible. This can be useful in many different situations. For example, important data for a single event is often scattered into multiple syslog messages. Also, login and logout events are often logged far away from each other, even in different log files, making log analysis difficult. Using correlation these can be collected into a single new message.


You can run your virtual SSB instances both in Amazon Web Services and in Microsoft Azure.

syslog-ng Premium Edition

The syslog-ng Premium Edition™ (PE) logging solution allows enterprises to build a powerful, trusted and centralized logging infrastructure for reviewing and auditing log messages of over 40 platforms. With syslog-ng PE business and IT managers can easily meet compliance requirements while lowering operational costs.


Why use syslog-ng Premium Edition™ for log collection?

It can collect and classify the log messages of IT devices, operating systems and applications and transfer them to the high-performance log server in a reliable channel. In other words, you can utilize syslog-ng PE as a standard log management tool: collect, classify, filter and store logs on a compliant way tailored exactly to fit in your heterogeneous IT environment.

How can syslog-ng PE help your business?

Regulatory Compliance

If your organization is subject to internal (e.g., COBIT) or external regulations (e.g., PCI-DSS or ISO2700x) and has to audit its IT infrastructure, syslog-ng PE helps you to secure your logging infrastructure by storing the log messages in signed, encrypted, and timestamped log files. Building your logging infrastructure on syslog-ng PE will enable you passing compliance audits easily, and simplify localizing evidence in forensics situations, as well.

Improving SIEM operation

You can significantly improve the reliability of your Security Information and Event Management (SIEM) solution with only a small extra cost, if you connect your existing system with syslog-ng PE. It is the best tool to optimize preprocessing and to get the best TCO out of your SIEM installation. The syslog-ng application is fully compatible with all widespread log analyzer and SIEM solutions.

Upgrading from Open Source Edition

Infrastructures based on syslog-ng Open Source Edition™ (OSE) are increasingly becoming corporate value. Comparing to OSE version, syslog-ng PE is a regularly maintained and quality assured solution resulting in less operational risk for IT managers. Syslog-ng PE is perfectly compatible with the OSE version, so upgrading is simple and effortless.