Setup a Syslog central Server on Solaris

Description: Setup a server to send syslog messages to a central syslog server

Setup: For the example, I’ll use two virtual servers in VirtualBox. “solaris” will be the host sending syslog messages to “logserver,” a second VM.  Logserver is a server that you will setup as a central syslog server.

For this exercise, “solaris” has an IP address of 10.100.0.186 and “logserver” has 10.100.0.187
Make sure each server can ping each other.

or Bridged Adapter

You’ll be opening multiple terminal windows on each server, so it will be helpful to use the bash shell and change your shell prompt as follows on each server:

PS1='\u@\h \W\\$ '

The prompt will display which server and directory you are logged into as follows:

root@logserver /$

On each server, make a backup copy of the /etc/syslog.conf file that you will be editing in this exercise as follows:

root@solaris /$ cp /etc/syslog.conf /etc/syslog.conf.BAK
root@logserver /$ cp /etc/syslog.conf /etc/syslog.conf.BAK

Step by Step Procedure

I. Perform These Steps on logserver

1.  Make sure the /etc/hosts file contains an entry for the logserver as follows:

10.100.0.187    logserver loghost

2.  After a reboot, or svcadm restart system-log, make sure there are no error messages in the /var/adm/messages file from syslogd like this:

syslogd:  WARNING: loghost could not be resolved

3.  Make sure the syslogd daemon is configured to receive messages from the network by verifying the log_from_remote_boolean property is set to true as follows:

# svccfg -s system-log listprop config/log_from_remote
config/log_from_remote  boolean  true

If the property is set to false, change it as follows:

# svccfg -s system-log setprop config/log_from_remote=true

4. Add this line to the /etc/syslog.conf file:

auth.info /var/adm/authlog

Note: Use only tabs to separate the columns, no spaces

Example Before:

*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages
*.alert;kern.err;daemon.err                     operator
*.alert                                         root

Example After:

*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages
*.alert;kern.err;daemon.err                     operator
*.alert                                         root
auth.info                                       /var/adm/authlog

5. Restart the syslogd daemon as follows:

# svcadm restart system-log

6. Verify the syslog service is online:

# svcs system-log
STATE          STIME    FMRI
online         10:01:21 svc:/system/system-log:default

7. Make sure your logserver is setup to resolve the system IP addresses through either local files or DNS. If local files, make this entry in your /etc/hosts file for the remote server that will be sending syslog messages:

10.100.0.186    solaris

II. Perform These Steps On the Server Named “solaris”

8. Make sure the /etc/hosts file contains an entry for the logserver as follows:

10.100.0.187    logserver loghost

9. After a reboot, or svcadm restart system-log, make sure there are no error messages in the /var/adm/messages file from syslogd like this:

syslogd:  WARNING: loghost could not be resolved

10. You should be able to ping loghost as follows:

root@solaris /$ ping loghost
loghost is alive

11.  Uncomment the following line in the /etc/syslog.conf file:

# auth.info                       ifdef(`LOGHOST', /var/log/authlog, @loghost)

Example Before:

# auth.info                       ifdef(`LOGHOST', /var/log/authlog, @loghost)

Example After:

auth.info                       ifdef(`LOGHOST', /var/log/authlog, @loghost)

12.  Restart the syslogd daemon as follows:

# svcadm restart system-log

13.  Verify the service is online as follows:

# svcs system-log
STATE          STIME    FMRI
online         10:01:21 svc:/system/system-log:default

III. Test the setup

For the test, you’ll open (4) terminal sessions.

Terminal 1: Open a terminal window to the “solaris” server and type:

root@solaris /# snoop port 514

<leave this running in the terminal window>

 

Terminal 2: Open a terminal window to the “logserver” server and type:

root@logserver /# snoop solaris

<leave this running in the terminal window>

Terminal 3: Open a terminal window to the “logserver” server and type:

root@logserver /# tail -f /var/adm/authlog

<leave this running in the terminal window.  You will actively watch the /var/adm/authlog file for new entries>

Terminal 4:  Use putty or some other terminal window to ssh to the “solaris”(10.100.0.186) server as follows:

$ ssh root@solaris
Type password

When you enter the password in Terminal 4, the following should happen in the other terminal windows:

Terminal 1: You should see the following message (in red) that indicates “solaris” is sending syslog messages over port 514 to the “logserver”

# snoop port 514
Using device e1000g0 (promiscuous mode)
    solaris -> logserver    SYSLOG C port=32779 auth.info: <38>Aug 22 10:57:28

Terminal 2:  On the loghost, you should see the following messages (in red) coming from the “solaris” server indicating that “logserver” is receiving messages from syslogd on  the remote “solaris” host:

# snoop solaris
Using device e1000g0 (promiscuous mode)
     solaris -> logserver    SYSLOG C port=32779 auth.info: <38>Aug 22 11:00:57
   logserver -> solaris      TCP D=32797 S=22 Push Ack=220090959 Seq=1393572300 Len=128 Win=49640
     solaris -> logserver    TCP D=22 S=32797 Ack=1393572428 Seq=220090959 Len=0 Win=49640
   logserver -> solaris      TCP D=32797 S=22 Push Ack=220090959 Seq=1393572428 Len=240 Win=49640
     solaris -> logserver    TCP D=22 S=32797 Ack=1393572668 Seq=220090959 Len=0 Win=49640
   logserver -> solaris      TCP D=32797 S=22 Push Ack=220090959 Seq=1393572668 Len=240 Win=49640
     solaris -> logserver    TCP D=22 S=32797 Ack=1393572908 Seq=220090959 Len=0 Win=49640

In Terminal 2, press ctrl+C to stop snoop from executing.

Terminal 3: You should see the following message added to the /var/adm/authlog file:

Aug 22 11:24:15 solaris sshd[931]: [ID 800047 auth.info] Accepted keyboard-interactive for root from 10.100.0.186 port 32800 ssh2

If you intentionally enter the wrong password in Terminal 4, the following message gets logged to /var/adm/authlog:

Aug 22 11:24:06 solaris sshd[931]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed

 

 

Leave a Comment

Your email address will not be published. Required fields are marked *