The syslog-ng Store Box (SSB) is an appliance built on syslog-ng Premium Edition (PE). SSB inherits most of syslog-ng PE’s features and makes them available with an easy-to-use graphical user interface. One of these features is the SQL source. Many applications log their messages to SQL databases. The SQL source of syslog-ng PE and SSB allows you to collect these log messages in real-time and process and store them with the rest of your logs.
The syslog-ng Store Box appliance can collect log messages from many different log sources and in many formats. These include UNIX / Linux / Windows system logs, firewall and router logs, various application logs, and now also SQL sources. SSB can parse, rewrite, filter and store log messages. In addition to the traditional syslog-ng features, the SSB appliance provides an interface to search log messages, and does complete log life cycle management, including archival and backup. Finally, it can also forward events to various on-prem and cloud destinations. It allows you to optimize your SIEM installations both for resources and licensing, as you can collect log messages only once, store them on SSB, and only forward a reduced subset of logs to various analytics tools.
Before you begin
Version 6.5 of the SSB appliance was the first one to support the SQL source. The SSB appliance uses syslog-ng PE under the hood. Which means that it supports the same SQL sources: Oracle and MSSQL. Please note that the SQL source is not yet part of an LTS (.0) release. For feature releases it is recommended to always use the latest release as these not only add features but also fix problems found in earlier versions. If you do not have SSB yet, download the 30 day free trial at https://www.syslog-ng.com/register/115581/
Getting started
Once you have SSB up and running, adding and configuring a source for SQL is easy. On the GUI go to sources, add a new source and give it a name. Now you are ready to configure it. Change the source type to SQL, configure the database specific settings, add a fetch query, and so on.
For testing you also need some log messages. The syslog-ng PE server can forward log messages to an MSSQL destination. You can use this to set up a simple test environment. This is the relevant part of the syslog-ng PE configuration:
# sql destination to Windows 10 MSSQL database table. This will become our SQL source
destination d_mssql {
sql(
type(mssql)
host("192.168.0.38")
port("1433")
username("cfinnan")
password(“xxxxxxxx")
database("syslog-ng")
table("msgs")
columns("datetime varchar(16)", "__row_id int IDENTITY(1,1)", "host varchar(32)", "program varchar(32)", "pid varchar(8)", "message varchar(4096)")
values("${R_DATE}", default, "${HOST}", "${PROGRAM}", "${PID}", "${MSGONLY}")
indexes("datetime", "host", "program", "pid") );
};
log {source(s_local); destination(d_mssql); }; # send our internal and system messages to the MSSQL DB
What is next?
If you want to give the SQL source of SSB a try, watch our webcast at https://www.syslog-ng.com/webcast-ondemand/collecting-logs-from-database-systems-with-ssb-/ which helps you to set up a test environment and shows you the SQL source in action. You can copy & paste the syslog-ng configuration snippet from above to help you to set up a test environment.