Using the syslog-ng Store Box (SSB) in front of Splunk

The syslog-ng application was used for many years as a log collection layer in front of Splunk. But why use a full-blown log management appliance with a graphical user interface instead of a simple command line application? I learned the answers at Red Hat Summit while talking to my fellow Balabit engineers and booth visitors.

Before delving into details about SSB, let me revisit some of the typical “syslog-ng in front of Splunk” use cases:

  • collecting syslog messages
  • filtering syslog messages to lower data load on Splunk
  • long-term message storage
  • evening out peak message rates

Why SSB instead of syslog-ng

Any of the above uses can be easily configured by editing the syslog-ng.conf file. What is missing? Hardcore Linux / UNIX users would say “nothing” as:

  • using logrotate, they have log life cycle management,
  • using awk / grep, they can find any information in log messages, and
  • using filters in syslog-ng, they can easily make sure that relevant log messages reach Splunk

While they are right – at least in most parts – SSB can make life a lot easier. First of all, you don’t have to integrate components yourself and edit configurations by hand, but have full log life cycle management integrated into a simple-to-use appliance. Using the web interface, you can easily configure log collection, processing, filtering, storage, and also log retention.

When SSB stores log messages, it also indexes them. This makes searching a lot more efficient. Using a simple grep command on tens of gigabytes of log messages takes considerable time and resources. The same search takes just a fraction of a second on indexed log messages, meaning that you can narrow your searches very quickly to the relevant log messages.

Easy access to all logs

In a typical setup, syslog-ng collects all of the log messages from client machines but only forwards a fraction of them to Splunk, for example, authentication-related messages for security monitoring, router logs to another Splunk module, and so on. But when it comes to daily operation, there are no sharp boundaries, everything is related to everything, at least to some degree.

This is where SSB comes to the rescue: it provides an easy-to-use web interface to access all log messages. While different departments – like security – can use the specialized reports Splunk provides them, those who need access to all data can browse through any logs easily.

How to get logs to Splunk

If you have a really low message rate, you can send logs from SSB to Splunk using the syslog protocol. But this method is not really recommended.

SSB can also export logs over SMB and NFS protocols. In this case, a machine mounts these directories, and a Splunk forwarder running on it reads the log messages and sends them to Splunk.

Another option is to forward logs from SSB to a machine running syslog-ng, which saves logs to a directory structure as expected by the Splunk forwarder.


If you want to learn more about SSB, check for more information.