{"id":2239,"date":"2019-02-14T20:53:40","date_gmt":"2019-02-14T17:53:40","guid":{"rendered":"http:\/\/kifarunix.com\/?p=2239"},"modified":"2024-03-11T22:19:28","modified_gmt":"2024-03-11T19:19:28","slug":"configure-rsyslog-on-solaris-11-4-to-send-logs-to-remote-log-server","status":"publish","type":"post","link":"https:\/\/kifarunix.com\/configure-rsyslog-on-solaris-11-4-to-send-logs-to-remote-log-server\/","title":{"rendered":"Configure Rsyslog on Solaris 11.4 to Send logs to Remote Log Server"},"content":{"rendered":"\n<p>In this guide, we are going to learn how to configure rsyslog on Solaris 11.4 to send logs to remote log server.<\/p>\n\n\n\n<div class=\"wp-block-rank-math-toc-block\" id=\"rank-math-toc\"><h2>Table of Contents<\/h2><nav><ul><li><a href=\"#configuring-rsyslog-on-solaris-11-4-to-send-logs-to-remote-log-server\">Configuring Rsyslog on Solaris 11.4 to Send logs to Remote Log Server<\/a><ul><li><a href=\"#solaris-11-4-uses-native-syslog-by-default\">Solaris 11.4 uses Native Syslog by Default<\/a><\/li><li><a href=\"#install-rsyslog-on-solaris-11-4\">Install Rsyslog on Solaris 11.4<\/a><\/li><li><a href=\"#disable-native-syslog-on-solaris-11-4\">Disable Native Syslog on Solaris 11.4<\/a><\/li><li><a href=\"#enable-rsyslog-on-solaris-11-4\">Enable Rsyslog on Solaris 11.4<\/a><\/li><li><a href=\"#configure-rsyslog-to-send-logs-to-remote-server-on-solaris-11-4\">Configure Rsyslog to Send Logs to Remote Server on Solaris 11.4<\/a><ul><li><a href=\"#verify-connection-to-remote-rsyslog-log-server\">Verify Connection to Remote Rsyslog Log Server<\/a><\/li><li><a href=\"#configure-rsyslog-to-send-logs-to-remote-server-on-solaris-11-4-1\">Configure Rsyslog to Send Logs to Remote Server on Solaris 11.4<\/a><\/li><li><a href=\"#restart-rsyslog-service\">Restart Rsyslog Service<\/a><\/li><li><a href=\"#test-remote-logging-on-solaris-11-4\">Test Remote Logging on Solaris 11.4<\/a><\/li><\/ul><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" id=\"configuring-rsyslog-on-solaris-11-4-to-send-logs-to-remote-log-server\">Configuring Rsyslog on Solaris 11.4 to Send logs to Remote Log Server<\/h2>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"solaris-11-4-uses-native-syslog-by-default\">Solaris 11.4 uses Native Syslog by Default<\/h3>\n\n\n\n<p>By default, Solaris 11.4 used the native syslog as the default log manager. You can verify this by running the command below;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>svcs system-log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>STATE          STIME    FMRI\ndisabled       22:20:47 svc:\/system\/system-log:rsyslog\n<strong>online         19:23:06 svc:\/system\/system-log:default<\/strong>\n<\/code><\/pre>\n\n\n\n<p>As you can see, syslog log manager is online.<\/p>\n\n\n\n<p>But wait, are you using the native syslog instead? check our link below on configuring syslog on Solaris 11.4<\/p>\n\n\n\n<p><a title=\"Configure Syslog on Solaris 11.4 for Remote Logging\" href=\"https:\/\/kifarunix.com\/how-to-configure-syslog-to-send-logs-to-remote-syslog-server-on-solaris-11-4\/\" target=\"_blank\" rel=\"bookmark noopener\">Configure Syslog on Solaris 11.4 for Remote Logging<\/a><\/p>\n\n\n\n<p>You might as well want to check our article on configuring remote logging with rsyslog on Ubuntu 18.04 by following the link below;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><a title=\"How to Configure Remote Logging with Rsyslog on Ubuntu 18.04\" href=\"https:\/\/kifarunix.com\/how-to-configure-remote-logging-with-rsyslog-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"bookmark noopener\">How to Configure Remote Logging with Rsyslog on Ubuntu 18.04<\/a><\/li>\n\n\n\n<li><a title=\"Configure NXLog to Forward System Logs to Rsyslog Server on Ubuntu 18.04\" href=\"https:\/\/kifarunix.com\/configure-nxlog-to-forward-system-logs-to-rsyslog-server-on-ubuntu-18-04\/\" target=\"_blank\" rel=\"bookmark noopener\">Configure NXLog to Forward System Logs to Rsyslog Server on Ubuntu 18.04<\/a><\/li>\n<\/ul>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"install-rsyslog-on-solaris-11-4\">Install Rsyslog on Solaris 11.4<\/h3>\n\n\n\n<p>In order to configure rsyslog on Solaris 11.4, you need to check if the package is installed.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pkg info system\/rsyslog<\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>           Name: system\/rsyslog\n        Summary: reliable and extended syslogd\n    Description: Rsyslog is a reliable and extended syslog daemon implementation\n                 with a modular design, supporting many features (e.g.,\n                 filtering, TCP, encryption, high-precision time-stamps, output\n                 control).\n       Category: System\/Administration and Configuration\n          State: Installed\n      Publisher: solaris\n        Version: 8.15.0\n         Branch: 11.4.0.0.1.14.0\n Packaging Date: August 14, 2018 at  5:28:45 PM\n           Size: 6.72 MB\n           FMRI: pkg:\/\/solaris\/system\/rsyslog@8.15.0-11.4.0.0.1.14.0:20180814T172845Z\n    Project URL: http:\/\/www.rsyslog.com\/\n     Source URL: http:\/\/www.rsyslog.com\/files\/download\/rsyslog\/rsyslog-8.15.0.tar.gz\nProject Contact: Rainer Gerhards\n<\/code><\/pre>\n\n\n\n<p>Well, in my case rsyslog is installed already. If however it is not installed already, you can run the command below to install it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">pkg install system\/rsyslog<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"disable-native-syslog-on-solaris-11-4\">Disable Native Syslog on Solaris 11.4<\/h3>\n\n\n\n<p>Check the status of the Rsyslog;<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>svcs system-log<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>STATE          STIME    FMRI\ndisabled       15:46:54 svc:\/system\/system-log:rsyslog\nonline         15:47:10 svc:\/system\/system-log:default\n<\/code><\/pre>\n\n\n\n<p>As you can see, native Syslog is enabled, you need to disable it.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">svcadm disable system\/system-log:default<\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"enable-rsyslog-on-solaris-11-4\">Enable Rsyslog on Solaris 11.4<\/h3>\n\n\n\n<p>Next, enable rsyslog and refresh the configurations<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">svcadm enable system\/system-log:rsyslog<\/pre>\n\n\n\n<pre class=\"wp-block-code\"><code>svcadm refresh system\/system-log:rsyslog<\/code><\/pre>\n\n\n\n<p>Check that status to confirm the that Rsyslog active.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>svcs -p rsyslog<\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>STATE          STIME    FMRI\nonline         16:06:20 svc:\/system\/system-log:rsyslog\n               16:06:20      1226 rsyslogd\n<\/code><\/pre>\n\n\n\n<h3 class=\"wp-block-heading\" id=\"configure-rsyslog-to-send-logs-to-remote-server-on-solaris-11-4\">Configure Rsyslog to Send Logs to Remote Server on Solaris 11.4<\/h3>\n\n\n\n<p>Proceed to configure Rsyslog on Solaris 11.4 to send logs of specific <code>facility<\/code> and <code>priority<\/code> to the remote central log management server.<\/p>\n\n\n\n<p>The main configuration file for Rsyslog is <code>\/etc\/rsyslog.conf<\/code>.<\/p>\n\n\n\n<p>For demonstration purposes, we are going to configure Rsyslog on Solaris 11.4 to send all information logs created by any facility to the remote log management server. The logs will be sent over UDP protocol, port 514. You can however use TCP as long as the remote log server is configured to receive logs over TCP protocol.<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"verify-connection-to-remote-rsyslog-log-server\">Verify Connection to Remote Rsyslog Log Server<\/h4>\n\n\n\n<p>Before you can proceed, verify that Solaris 11.4 server can communicate with remote log management server over UDP port 514. You can use <code>netcat (nc)<\/code> command to verify this.<\/p>\n\n\n\n<p>On the Remote log manager, set netcat to listen on port 514 while on the Solaris 11.4 server, set netcat to connect to the remote log manager port 514.<\/p>\n\n\n\n<p>On the remote log server, run:<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc -l 514<\/pre>\n\n\n\n<p>On Solaris 11.4 server, run (replace remote_server_IP with log server IP);<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">nc remote_server_IP 514<\/pre>\n\n\n\n<p>Press Enter on both sides.<\/p>\n\n\n\n<p>Type anything on the Solaris 11.4 end and you should be able to see whatever you type on the remote shell.<\/p>\n\n\n\n<p>Otherwise, fix the connection!<\/p>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"configure-rsyslog-to-send-logs-to-remote-server-on-solaris-11-4-1\">Configure Rsyslog to Send Logs to Remote Server on Solaris 11.4<\/h4>\n\n\n\n<p>After that, proceed to configure Rsyslog on Solaris 11.4 server.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">vim \/etc\/rsyslog.conf<\/pre>\n\n\n\n<p>As already mentioned, we are sending only information logs!<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>...\n# Remote Logging (we use TCP for reliable delivery)\n# An on-disk queue is created for this action. If the remote host is\n# down, messages are spooled to disk and sent when it is up again.\n#$WorkDirectory \/var\/spool\/rsyslog      # where to place spool files\n#$ActionQueueFileName uniqName  # unique name prefix for spool files\n#$ActionQueueMaxDiskSpace 1g    # 1gb space limit (use as much as possible)\n#$ActionQueueSaveOnShutdown on  # save messages to disk on shutdown\n#$ActionQueueType LinkedList    # run asynchronously\n#$ActionResumeRetryCount -1     # infinite retries if host is down\n# remote host is: name\/ip:port, e.g. 192.168.0.1:514, port optional\n#*.* @@remote-host:514\n<strong>*.info  @192.168.43.85:514    # Send Logs over UDP port 514\n<\/strong>...\n<\/code><\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"restart-rsyslog-service\">Restart Rsyslog Service<\/h4>\n\n\n\n<p>Restart Rsyslog to effect the changes.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">svcadm restart system\/system-log:rsyslog<\/pre>\n\n\n\n<h4 class=\"wp-block-heading\" id=\"test-remote-logging-on-solaris-11-4\">Test Remote Logging on Solaris 11.4<\/h4>\n\n\n\n<p>Perform log test using <code>logger<\/code> command.<\/p>\n\n\n\n<p>Before you can execute the testing run <code>tcpdump<\/code> command on the remote log server to confirm the reception of the logs.<\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tcpdump -i any -nn -vv udp port 514 and host 192.168.43.181<\/code><\/pre>\n\n\n\n<p>Where <code>192.168.43.181<\/code> is the IP of the Solaris server sending logs to remote log server.<\/p>\n\n\n\n<p>On the Solaris 11.4 server, simulate logging using <code>logger<\/code> command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">logger -p <strong>local7.info<\/strong> \"Hello remote log server, I am Solaris 11.4, can you see my logs?\"<\/pre>\n\n\n\n<p>If everything is okay, you should see the logs on the remote server tcpdump;<\/p>\n\n\n\n<pre class=\"scroll-box\"><code>tcpdump: data link type LINUX_SLL2\ntcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes\n11:21:17.032859 enp0s8 In  IP (tos 0x0, ttl 255, id 5552, offset 0, flags [none], proto UDP (17), length 156)\n    <strong>192.168.43.181.61989 > 192.168.43.85.514: [udp sum ok] SYSLOG, length: 128\n\tFacility local7 (23), Severity info (6)\n\tMsg: Jan 13 16:21:15 solaris kifarunix: [ID 702911 local7.info] Hello remote log server, I am Solaris 11.4, can you see my logs? <\/strong>\n\t0x0000:  3c31 3930 3e4a 616e 2031 3320 3136 3a32\n\t0x0010:  313a 3135 2073 6f6c 6172 6973 206b 6966\n\t0x0020:  6172 756e 6978 3a20 5b49 4420 3730 3239\n\t0x0030:  3131 206c 6f63 616c 372e 696e 666f 5d20\n\t0x0040:  4865 6c6c 6f20 7265 6d6f 7465 206c 6f67\n\t0x0050:  2073 6572 7665 722c 2049 2061 6d20 536f\n\t0x0060:  6c61 7269 7320 3131 2e34 2c20 6361 6e20\n\t0x0070:  796f 7520 7365 6520 6d79 206c 6f67 733f\n<\/code><\/pre>\n\n\n\n<p>If you configured your remote log server to save logs based on the source IP, you can tail the source respective log file to see the actual message. For example, we configure our log server to save remote system logs to <code><strong>\/var\/log\/remotelogs\/&lt;from-ip&gt;.log<\/strong><\/code> files. <\/p>\n\n\n\n<pre class=\"wp-block-code\"><code>tail -f \/var\/log\/remotelogs\/192.168.43.181.log <\/code><\/pre>\n\n\n\n<pre class=\"scroll-box\"><code>2024-01-13T16:17:37-05:00 solaris rsyslogd: [origin software=\"rsyslogd\" swVersion=\"8.15.0\" x-pid=\"1252\" x-info=\"http:\/\/www.rsyslog.com\"] start\n2024-01-13T16:21:15-05:00 solaris kifarunix: [ID 702911 local7.info] Hello remote log server, I am Solaris 11.4, can you see my logs?\n<\/code><\/pre>\n\n\n\n<p>As a side note, you can even send logs in a file using the logger command.<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">logger -f \/var\/log\/test.log -p auth.info<\/pre>\n","protected":false},"excerpt":{"rendered":"<p>In this guide, we are going to learn how to configure rsyslog on Solaris 11.4 to send logs to remote log server. Configuring Rsyslog on<\/p>\n","protected":false},"author":1,"featured_media":19851,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"rank_math_lock_modified_date":false,"footnotes":""},"categories":[121,331],"tags":[186,274,192],"class_list":["post-2239","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-howtos","category-syslog","tag-rsyslog","tag-solaris-11-4","tag-syslog","generate-columns","tablet-grid-50","mobile-grid-100","grid-parent","grid-50","resize-featured-image"],"_links":{"self":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2239"}],"collection":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/comments?post=2239"}],"version-history":[{"count":6,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2239\/revisions"}],"predecessor-version":[{"id":21108,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/posts\/2239\/revisions\/21108"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media\/19851"}],"wp:attachment":[{"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/media?parent=2239"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/categories?post=2239"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/kifarunix.com\/wp-json\/wp\/v2\/tags?post=2239"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}