For the best web experience, please use IE11+, Chrome, Firefox, or Safari

syslog-ng Store Box

High performance, enterprise-class log management appliance. The syslog-ng Store Box™ (SSB) is a high-performance, high-reliability log management appliance that builds on the strengths of syslog-ng Premium Edition. With SSB, you can search logs, secure sensitive information with granular access policies, generate reports to demonstrate compliance and forward log data to third-party analysis tools.
syslog-ng Store Box, a turnkey appliance to manage your log data 02:59

Key features

Collect and index

The syslog-ng Store Box’s indexing engine is optimized for performance. Depending on its exact configuration, one syslog-ng Store Box can collect and index up to 100,000 messages per second for sustained periods.

When deployed in a client-relay configuration, a single SSB can collect logs from tens of thousands of log sources

Flexible collection

Every installation of SSB comes with the possibility of using syslog-ng Premium Edition as log collection agents or relay servers at no additional cost.

Installers are available for 50+ platforms, including the most popular Linux distributions, commercial flavors of UNIX and Windows.

Scalable indexing

The syslog-ng Store Box is optimized for performance, and can handle enormous amounts of messages.

Depending on its configuration, it can index over 100,000 messages per second for sustained periods and process over 70 GB of raw logs per hour.

Real time processing

SSB can sort the incoming logs based on their content and various parameters. Directories, files and database tables can be created dynamically using macros.

Complex filtering using regular expressions and boolean operators offers almost unlimited flexibility to forward only the important messages to the selected destinations.

Search and report

With full-text search, you can search through billions of logs in seconds via the web-based user interface. Wildcards and boolean operators allow you to perform complex searches and drill down on the results.

Users can easily create customized reports from the charts and statistics they create on the search interface to demonstrate compliance with standards and regulations such as PCI-DSS, ISO 27001, SOX and HIPAA.

Web-based UI

SSB has an intuitive web-based user interface for configuring, searching, drilling down and generating reports. It's easy to get an overview and quickly identify problems.

This user interface is exclusive to SSB and is not available separately for syslog-ng Premium Edition, which remains a purely command line interface solution.

Content-based alerting

SSB offers an automatic search functionality for quicker detection of anomalies: it is able to perform continuous search on the incoming log data and send alerts when predefined critical events are detected.

The alerts are actionable, so the detailed investigation of the corresponding logs can immediately and easily be started.

Federated search

SSB collects and indexes logs in virtual containers called logspaces that enable organizations to segment their log data based on any number of criteria and restrict access to logs based on user profiles.

With the federated search feature, you can search in multiple logspaces whether on the same SSB appliance or located on a different appliance even at a remote location.

Store and forward

You can store large amounts of log data, create automated retention policies, and backup data to remote servers.

The largest appliance can store up to 10 terabytes of uncompressed data.

You can also forward logs to 3rd party analysis tools or fetch data from syslog-ng Store Box via its REST API.

Automated backup

SSB provides automated data archiving to remote servers. The data on the remote server remains accessible and searchable.

SSB uses the remote server as a network drive via the Network File System (NFS) or the Server Message Block (SMB/CIFS) protocol.

REST API

SSB can forward logs to 3rd party analysis tools or fetch data from SSB via its REST API.

You can access the API using a RESTful protocol over HTTPS, meaning that you can use any programming language that has access to a RESTful HTTPS client to integrate SSB into your environment, including popular languages such as Java and Python.

Secure log data

Log data frequently contains sensitive information. SSB can store log data in encrypted, compressed, and time-stamped binary files restricting access to authorized personnel only.

Authentication, Authorization and Accounting settings can restrict access to the SSB configuration and stored logs based on usergroup privileges and can be integrated with LDAP and Radius databases.

Granular access control

Authentication, authorization and accounting settings provide granular access control restricting access to the SSB configuration and stored logs based on usergroup privileges.

SSB can be integrated with LDAP and Radius databases.

Encrypted log store

SSB’s logstore stores log data in encrypted, compressed, and timestamped binary files, restricting access to authorized personnel only.

The largest SSB appliance can store up to 10 terabytes of uncompressed data.

Secure transfer

syslog-ng Premium Edition ensures that messages cannot be accessed by third parties by using the Transport Layer Security (TLS) protocol to encrypt the communication between the agents and syslog-ng Store Box.

It is possible to use one-way or mutual authentication between clients and the server using X.509 certificates.

Additional Features

Parse key-value pairs

syslog-ng Store Box can separate a message consisting of whitespace or comma-separated key-value pairs (for example firewall logs) into name-value pairs.

Parse sudo log messages

Privileged user accounts represent the highest security risk, as they allow access to the most sensitive data and resources. The sudo parser enables you to enrich your log message data with details of privilege escalation events.

Normalize with PatternDB

The syslog-ng application can compare the contents of the log messages to a database of predefined message patterns.

Extract important information

In addition to classifying messages, you can also add different tags which can be used later for filtering messages, for example, to collect messages tagged as user_login to a separate file or to perform conditional post processing on the tagged messages.

Real time classification

By comparing log messages to known patterns, syslog-ng is able to identify the exact type of the messages, and sort them into message classes. The message classes can be used to classify the type of the event described in the log message. The message classes can be customized, and, for example, can label the messages as user login, application crash, file transfer, etc.

Real time event correlation

syslog-ng also makes real-time event correlation possible. This can be useful in many different situations. For example, important data for a single event is often scattered into multiple syslog messages. Also, login and logout events are often logged far away from each other, even in different log files, making log analysis difficult. Using correlation these can be collected into a single new message.

Message Rate Alerting

SSB can be configured to send alerts based on the number of messages being received from sources. Minimum and maximum log message thresholds for specified time periods can be set to monitor the log management infrastructure for any performance issues.

Cloud-ready

You can run your virtual SSB instances both in Amazon Web Services and in Microsoft Azure.