The syslog-ng Store Box (SSB) appliance, built on syslog-ng Premium Edition (PE), offers a user-friendly graphical interface while retaining most of syslog-ng PE’s robust features. A key application of SSB and syslog-ng PE is enhancing the logging infrastructure for SIEM/log analysis. Notably, SSB has recently added support for log analytics destinations like Splunk HEC (HTTP Event Collector) and Microsoft Sentinel.
The SSB appliance is versatile in collecting log messages from a wide range of sources in various formats, including UNIX/Linux/Windows system logs, firewall and router logs, application logs, and now SQL sources. SSB is equipped to parse, rewrite, filter, and store log messages effectively. Beyond these core syslog-ng functionalities, SSB offers advanced features such as log message search and comprehensive log lifecycle management, including archiving and backup. Additionally, SSB can forward events to multiple on-premises and cloud destinations. This capability enables you to streamline your SIEM installations by collecting log messages once, storing them on SSB, and then forwarding a reduced subset to various analytics tools, optimizing both resources and licensing.
Before you begin
Version 6.6 of the SSB appliance introduced support for the Splunk destination, while version 6.7 was the first to support the Sentinel destination. Both features have since received numerous performance improvements, bug fixes, and minor enhancements. Therefore, it is advisable to always use the latest version for the best experience. If you haven’t tried SSB yet, you can download a 30-day free trial at syslog-ng.com.
Configuring and testing SSB
Once you have SSB up and running, adding a Splunk HEC or Sentinel destination and performing basic configuration is straightforward. Before starting the configuration, gather essential information from your Splunk or Sentinel administrator:
- For Sentinel, you’ll need the Workspace ID and the Auth Secret.
- For Splunk, you’ll need the Token, index name, and URL.
This is the minimum information required to begin. With this data ready, you can configure SSB. Log in as an administrator, navigate to the Log menu, and select Destinations. By default, Remote Host (a remote syslog destination) is selected. Depending on your environment, click on Splunk or Sentinel to proceed:
Enter the information you collected earlier into the relevant fields and give your new destination a name. Once done, click on Commit to save.
You are now almost ready for initial testing. Although you have a new destination, it is not yet connected. To connect it, you need to add it to a log path. When you install syslog-ng, a preconfigured log path collects all incoming network logs to a destination called Center. Add your newly created destination below Center by selecting its name from the drop-down list.
After committing the changes, you are ready for initial testing. To test, you need some log messages. You can either direct a syslog-ng client to one of the SSB’s network sources or use the syslog-ng loggen utility to generate log messages.
For low message rates, the default configuration works well. However, if you expect a higher message rate (over 10k events per second), consider performance tuning. You can adjust the number of parallel connections, the number of messages sent at once, and for Splunk, configure multiple destination URLs. Syslog-ng will then automatically load-balance log messages among the URLs without requiring additional software components.
Source: https://www.syslog-ng.com/community/b/blog#pifragment-836=5
About DT Asia
DT Asia began in 2007 with a clear mission to build the market entry for various pioneering IT security solutions from the US, Europe and Israel.
Today, DT Asia is a regional, value-added distributor of cybersecurity solutions providing cutting-edge technologies to key government organisations and top private sector clients including global banks and Fortune 500 companies. We have offices and partners around the Asia Pacific to better understand the markets and deliver localised solutions.
