{"id":2211,"date":"2019-02-14T00:30:00","date_gmt":"2019-02-13T21:30:00","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2211"},"modified":"2024-03-11T22:19:59","modified_gmt":"2024-03-11T19:19:59","slug":"how-to-configure-syslog-to-send-logs-to-remote-syslog-server-on-solaris-11-4","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/how-to-configure-syslog-to-send-logs-to-remote-syslog-server-on-solaris-11-4\/","title":{"rendered":"Configure Syslog on Solaris 11.4 for Remote Logging"},"content":{"rendered":"\n<p>This guide presents a simple way of how to configure Syslog on Solaris 11.4 send logs to remote syslog server.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#configuring-syslog-on-solaris-11-4-for-remote-logging\">Configuring Syslog on Solaris 11.4 for Remote Logging<\/a><ul><li><a href=\"#enable-syslog-on-solaris-11-4\">Enable Syslog on Solaris 11.4<\/a><\/li><li><a href=\"#configuring-syslog-remote-logging-on-solaris-11-4\">Configuring Syslog Remote Logging on Solaris 11.4<\/a><\/li><li><a href=\"#verify-connection-to-remote-log-server\">Verify Connection to Remote Log Server<\/a><\/li><li><a href=\"#configure-remote-log-server-logs-directory\">Configure Remote Log Server Logs Directory<\/a><\/li><li><a href=\"#verify-log-reception-on-remote-log-server\">Verify Log Reception on Remote Log Server<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configuring-syslog-on-solaris-11-4-for-remote-logging\">Configuring Syslog on Solaris 11.4 for Remote Logging<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enable-syslog-on-solaris-11-4\">Enable Syslog on Solaris 11.4<\/h3>\n\n\n\n<p>Syslog is the native log manager on Solaris 11.4. It should be enabled by default.<\/p>\n\n\n\n<p>Before you can proceed to configure syslog on Solaris 11.4, first check if it is enabled.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>svcs system-log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>STATE          STIME    FMRI\ndisabled        2:07:53 svc:\/system\/system-log:rsyslog\n<strong>online         23:08:50 svc:\/system\/system-log:default<\/strong>\n<\/code><\/pre>\n\n\n\n<p>As per the above output, the native syslog is enabled.<\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configuring-syslog-remote-logging-on-solaris-11-4\">Configuring Syslog Remote Logging <strong>on Solaris 11.4<\/strong><\/h3>\n\n\n\n<p>Therefore, you need to configure Syslog and define the log messages to be forwarded to the central log server. This can be done by defining the <code>facility<\/code> and <code>priority<\/code> of the logs.<\/p>\n\n\n\n<p>The facility defines the type of program that is logging the message for example the kernel, mail system, security processes, syslog, system daemons etc. The defined facilities are <code>auth (or security), authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, syslog, user, uucp, and local0-local7<\/code>.<\/p>\n\n\n\n<p>The priority on the other hand defines the severity level of the message. The possible priorities arranged in the&nbsp; decreasing order of urgency include <code>emerg (or panic (0)), alert (1), crit (2), err (or error(3)), warning (or warn (4)), notice (5), info (6), debug (7)<\/code>.<\/p>\n\n\n\n<p>Thus in this guide, we are going to send all the informational messages to the remote server. Hence, edit the syslog configuration file, <code>\/etc\/syslog.conf<\/code> and add the line below.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim \/etc\/syslog.conf<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>...\n# This file is processed by m4 so be careful to quote (`') names\n# that match m4 reserved words.  Also, within ifdef's, arguments\n# containing commas must be quoted.\n#\n*.err;kern.notice;auth.notice                   \/dev\/sysmsg\n*.err;kern.debug;daemon.notice;auth.none;mail.crit      \/var\/adm\/messages\n\n*.alert;kern.err;daemon.err                     operator\n*.alert                                         root\n\n*.emerg                                         *\n# Forward informational Messages\n<strong>*.info  @remotehost   # Use a tab instead of spaces.\n<\/strong>...\n<\/code><\/pre>\n\n\n\n<figure class=\"wp-block-pullquote has-small-font-size\"><blockquote><p>Ensure that you are using tabs instead of spaces; <code>*.info<strong>&lt;tab&gt;<\/strong>@remotehost<\/code><\/p><\/blockquote><\/figure>\n\n\n\n<p>Save the configuration file and restart syslog.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">svcadm restart system-log:default<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-connection-to-remote-log-server\">Verify Connection to Remote Log Server<\/h3>\n\n\n\n<p>Next, verify that Solaris 11.4 server can communicate to the remote syslog server UDP port 514. This can be done using netcat command. Hence, on the remote server, run the netcat to listen on&nbsp; command as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -l 514<\/pre>\n\n\n\n<p>On Solaris 11.4, run netcat as shown below;<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">netcat 192.168.43.85 514<\/pre>\n\n\n\n<p>Type anything at the prompt and you should be able to see the same on remote host.<\/p>\n\n\n\n<p><a href=\"http:\/\/kifarunix.com\/wp-content\/uploads\/2019\/02\/netcat.png\"><img loading=\"lazy\" decoding=\"async\" width=\"868\" height=\"110\" class=\"alignnone size-full wp-image-2234\" src=\"http:\/\/kifarunix.com\/wp-content\/uploads\/2019\/02\/netcat.png\" alt=\"How to Send Logs to Remote Central Log Server on Solaris 11.4\" title=\"\" srcset=\"https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/02\/netcat.png 868w, https:\/\/kifarunix.com\/wp-content\/uploads\/2019\/02\/netcat-768x97.png 768w\" sizes=\"(max-width: 868px) 100vw, 868px\" \/><\/a><\/p>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-remote-log-server-logs-directory\">Configure Remote Log Server Logs Directory<\/h3>\n\n\n\n<p>On the remote central syslog server, configure it such that it saves the received logs to specific directory with IP\/hostname as the identifier of the source of logs. See example below;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n# provides UDP syslog reception\nmodule(load=\"imudp\")\ninput(type=\"imudp\" port=\"514\")\n\n# provides TCP syslog reception\n#module(load=\"imtcp\")\n#input(type=\"imtcp\" port=\"514\")\n<strong>#Custom template to generate the log filename dynamically based on the client's IP address.<\/strong>\n<strong>$template RemInputLogs, \"\/var\/log\/remotelogs\/%FROMHOST-IP%.log\"<\/strong>\n<strong>*.* ?RemInputLogs\n...<\/strong>\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"verify-log-reception-on-remote-log-server\">Verify Log Reception on Remote Log Server<\/h3>\n\n\n\n<p>Next, try to initiate an ssh authentication to Solaris 11.4 server. At the same time, run tcpdump command on the syslog server to verify that the logs are actually sent from Solaris 11.4 server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">tcpdump -i enp0s3 src solaris_server_IP and port 514<\/pre>\n\n\n\n<p>In the tcpdump output below, you can see two authentication messages since I tried both failed and successful authentication on Solaris 11.4 server.<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>tcpdump: verbose output suppressed, use -v or -vv for full protocol decode\nlistening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes\n<strong>21:17:34.926331 IP 192.168.43.181.61781 &gt; u18svr.syslog: SYSLOG auth.error, length: 117<\/strong>\n<strong>21:17:48.962226 IP 192.168.43.181.61781 &gt; u18svr.syslog: SYSLOG auth.info, length: 132<\/strong>\n<\/code><\/pre>\n\n\n\n<p>At the same time, you can check the log file on the remote server as define in the configuration file above.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail \/var\/log\/remotelogs\/192.168.43.181.log <\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>2024-01-13T00:06:19+00:00 192.168.43.181 \/usr\/sbin\/dhcpagent[497]: [ID 538334 daemon.info] configure_v4_timers: net0 acquired lease, expires Thu Feb 14 01:06:19 2024\n2024-01-13T00:06:19+00:00 192.168.43.181 \/usr\/sbin\/dhcpagent[497]: [ID 759141 daemon.info] configure_v4_timers: net0 begins renewal at Thu Feb 14 00:32:46 2024\n2024-01-13T00:06:19+00:00 192.168.43.181 \/usr\/sbin\/dhcpagent[497]: [ID 480545 daemon.info] configure_v4_timers: net0 begins rebinding at Thu Feb 14 00:55:16 2024\n<strong>2024-01-13T00:17:35+00:00 192.168.43.181 sshd[1711]: [ID 800047 auth.error] error: PAM: Authentication failed for root from 192.168.43.149<\/strong>\n<strong>2024-01-13T00:17:49+00:00 192.168.43.181 sshd[1711]: [ID 800047 auth.info] Accepted keyboard-interactive\/pam for root from 192.168.43.149 port 40300 ssh2<\/strong>\n<\/code><\/pre>\n\n\n\n<p>Beautiful, that is how easy it is to configure Syslog to send logs to remote syslog server on Solaris 11.4.<\/p>\n\n\n\n<p>You can also use Rsyslog instead of Syslog. Check how to <a title=\"Configure Rsyslog on Solaris 11.4 to Send logs to Remote Log Server\" href=\"https:\/\/kifarunix.com\/configure-rsyslog-on-solaris-11-4-to-send-logs-to-remote-log-server\/\" target=\"_blank\" rel=\"bookmark noopener\">Configure Rsyslog on Solaris 11.4<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This guide presents a simple way of how to configure Syslog on Solaris 11.4 send logs to remote syslog server. Configuring Syslog on Solaris 11.4<\/p>\n","protected":false},"author":1,"featured_media":19853,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,331],"tags":[193,274,192],"class_list":["post-2211","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-syslog","tag-remote-logging","tag-solaris-11-4","tag-syslog","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2211"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2211"}],"version-history":[{"count":8,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2211\/revisions"}],"predecessor-version":[{"id":21110,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2211\/revisions\/21110"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/19853"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2211"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2211"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2211"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}