Description: Setup a server to send syslog messages to a central syslog server
Setup: For the example, I’ll use two virtual servers in VirtualBox. “solaris” will be the host sending syslog messages to “logserver,” a second VM. Logserver is a server that you will setup as a central syslog server.
For this exercise, “solaris” has an IP address of 10.100.0.186 and “logserver” has 10.100.0.187
Make sure each server can ping each other.
or Bridged Adapter
You’ll be opening multiple terminal windows on each server, so it will be helpful to use the bash shell and change your shell prompt as follows on each server:
PS1='\u@\h \W\\$ 'The prompt will display which server and directory you are logged into as follows:
root@logserver /$On each server, make a backup copy of the /etc/syslog.conf file that you will be editing in this exercise as follows:
root@solaris /$ cp /etc/syslog.conf /etc/syslog.conf.BAK
root@logserver /$ cp /etc/syslog.conf /etc/syslog.conf.BAKStep by Step Procedure
I. Perform These Steps on logserver
1. Make sure the /etc/hosts file contains an entry for the logserver as follows:
10.100.0.187 logserver loghost2. After a reboot, or svcadm restart system-log, make sure there are no error messages in the /var/adm/messages file from syslogd like this:
syslogd: WARNING: loghost could not be resolved3. Make sure the syslogd daemon is configured to receive messages from the network by verifying the log_from_remote_boolean property is set to true as follows:
# svccfg -s system-log listprop config/log_from_remote
config/log_from_remote boolean trueIf the property is set to false, change it as follows:
# svccfg -s system-log setprop config/log_from_remote=true4. Add this line to the /etc/syslog.conf file:
auth.info /var/adm/authlogNote: Use only tabs to separate the columns, no spaces
Example Before:
*.err;kern.notice;auth.notice /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
*.alert;kern.err;daemon.err operator
*.alert rootExample After:
*.err;kern.notice;auth.notice /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
*.alert;kern.err;daemon.err operator
*.alert root
auth.info /var/adm/authlog5. Restart the syslogd daemon as follows:
# svcadm restart system-log6. Verify the syslog service is online:
# svcs system-log
STATE STIME FMRI
online 10:01:21 svc:/system/system-log:default7. Make sure your logserver is setup to resolve the system IP addresses through either local files or DNS. If local files, make this entry in your /etc/hosts file for the remote server that will be sending syslog messages:
10.100.0.186 solarisII. Perform These Steps On the Server Named “solaris”
8. Make sure the /etc/hosts file contains an entry for the logserver as follows:
10.100.0.187 logserver loghost9. After a reboot, or svcadm restart system-log, make sure there are no error messages in the /var/adm/messages file from syslogd like this:
syslogd: WARNING: loghost could not be resolved10. You should be able to ping loghost as follows:
root@solaris /$ ping loghost
loghost is alive11. Uncomment the following line in the /etc/syslog.conf file:
# auth.info ifdef(`LOGHOST', /var/log/authlog, @loghost)Example Before:
# auth.info ifdef(`LOGHOST', /var/log/authlog, @loghost)Example After:
auth.info ifdef(`LOGHOST', /var/log/authlog, @loghost)12. Restart the syslogd daemon as follows:
# svcadm restart system-log13. Verify the service is online as follows:
# svcs system-log
STATE STIME FMRI
online 10:01:21 svc:/system/system-log:defaultIII. Test the setup
For the test, you’ll open (4) terminal sessions.
Terminal 1: Open a terminal window to the “solaris” server and type:
root@solaris /# snoop port 514
<leave this running in the terminal window>
Terminal 2: Open a terminal window to the “logserver” server and type:
root@logserver /# snoop solaris
<leave this running in the terminal window>
Terminal 3: Open a terminal window to the “logserver” server and type:
root@logserver /# tail -f /var/adm/authlog
<leave this running in the terminal window. You will actively watch the /var/adm/authlog file for new entries>
Terminal 4: Use putty or some other terminal window to ssh to the “solaris”(10.100.0.186) server as follows:
$ ssh root@solaris Type password
When you enter the password in Terminal 4, the following should happen in the other terminal windows:
Terminal 1: You should see the following message (in red) that indicates “solaris” is sending syslog messages over port 514 to the “logserver”
# snoop port 514 Using device e1000g0 (promiscuous mode) solaris -> logserver SYSLOG C port=32779 auth.info: <38>Aug 22 10:57:28
Terminal 2: On the loghost, you should see the following messages (in red) coming from the “solaris” server indicating that “logserver” is receiving messages from syslogd on the remote “solaris” host:
# snoop solaris Using device e1000g0 (promiscuous mode) solaris -> logserver SYSLOG C port=32779 auth.info: <38>Aug 22 11:00:57 logserver -> solaris TCP D=32797 S=22 Push Ack=220090959 Seq=1393572300 Len=128 Win=49640 solaris -> logserver TCP D=22 S=32797 Ack=1393572428 Seq=220090959 Len=0 Win=49640 logserver -> solaris TCP D=32797 S=22 Push Ack=220090959 Seq=1393572428 Len=240 Win=49640 solaris -> logserver TCP D=22 S=32797 Ack=1393572668 Seq=220090959 Len=0 Win=49640 logserver -> solaris TCP D=32797 S=22 Push Ack=220090959 Seq=1393572668 Len=240 Win=49640 solaris -> logserver TCP D=22 S=32797 Ack=1393572908 Seq=220090959 Len=0 Win=49640
In Terminal 2, press ctrl+C to stop snoop from executing.
Terminal 3: You should see the following message added to the /var/adm/authlog file:
Aug 22 11:24:15 solaris sshd[931]: [ID 800047 auth.info] Accepted keyboard-interactive for root from 10.100.0.186 port 32800 ssh2
If you intentionally enter the wrong password in Terminal 4, the following message gets logged to /var/adm/authlog:
Aug 22 11:24:06 solaris sshd[931]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed
Just on extra step at LOGSERVER:
ln -s /var/log/authlog /var/adm/authlog
Without this symbolic link the LOGSERVER couldn’t write log information to file /var/adm/authlog that doesn’t exist.
I’ve tested your instructions and updated them to my blog
http://blog.fabiomorais.com.br/2019/11/how-to-user-remote-syslog-on-solaris-11.html
Thank you.