{"id":2160,"date":"2018-08-27T17:04:29","date_gmt":"2018-08-27T21:04:29","guid":{"rendered":"https:\/\/unixed.com\/?p=2160"},"modified":"2018-08-27T17:15:52","modified_gmt":"2018-08-27T21:15:52","slug":"setup-a-syslog-central-server-on-solaris","status":"publish","type":"post","link":"https:\/\/unixed.com\/index.php\/2018\/08\/27\/setup-a-syslog-central-server-on-solaris\/","title":{"rendered":"Setup a Syslog central Server on Solaris"},"content":{"rendered":"

Description:<\/strong> Setup a server to send syslog messages to a central syslog server<\/p>\n

Setup:<\/strong>\u00a0For the example, I’ll use two virtual servers in VirtualBox. \u201csolaris\u201d will be the host sending syslog messages to \u201clogserver,\u201d a second VM.\u00a0 Logserver is a server that you will setup as a central syslog server.<\/p>\n

For this exercise, \u201csolaris\u201d has an IP address of 10.100.0.186 and \u201clogserver\u201d has 10.100.0.187
\nMake sure each server can ping each other.<\/p>\n

\"\"<\/p>\n

or Bridged Adapter<\/p>\n

\"\"<\/p>\n

You\u2019ll be opening multiple terminal windows on each server, so it will be helpful to use the bash shell and change your shell prompt as follows on each server:<\/p>\n

PS1='\\u@\\h \\W\\\\$ '<\/code><\/pre>\n
The prompt will display which server and directory you are logged into as follows:<\/p>\n
root@logserver \/$<\/code><\/pre>\n
On each server, make a backup copy of the \/etc\/syslog.conf file that you will be editing in this exercise as follows:<\/p>\n
root@solaris \/$ cp \/etc\/syslog.conf \/etc\/syslog.conf.BAK\r\nroot@logserver \/$ cp \/etc\/syslog.conf \/etc\/syslog.conf.BAK<\/code><\/pre>\n
Step by Step Procedure<\/strong><\/p>\n
I. Perform These Steps on logserver<\/p>\n
1.\u00a0 Make sure the \/etc\/hosts file contains an entry for the logserver as follows:<\/p>\n
10.100.0.187\u00a0\u00a0\u00a0 logserver loghost<\/code><\/pre>\n
2.\u00a0 After a reboot, or svcadm restart system-log, make sure there are no error messages in the \/var\/adm\/messages file from syslogd like this:<\/p>\n
syslogd:\u00a0 WARNING: loghost could not be resolved<\/code><\/pre>\n
3.\u00a0 Make sure the syslogd daemon is configured to receive messages from the network by verifying the log_from_remote_boolean property is set to true as follows:<\/p>\n
# svccfg -s system-log listprop config\/log_from_remote<\/strong>\r\nconfig\/log_from_remote\u00a0 boolean\u00a0 true<\/code><\/pre>\n
If the property is set to false, change it as follows:<\/p>\n
# svccfg -s system-log setprop config\/log_from_remote=true<\/strong><\/code><\/pre>\n
4. Add this line to the \/etc\/syslog.conf file:<\/p>\n
auth.info \/var\/adm\/authlog<\/code><\/pre>\n
Note: Use only tabs to separate the columns, no spaces<\/p>\n
Example Before:<\/p>\n
*.err;kern.notice;auth.notice\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/dev\/sysmsg\r\n*.err;kern.debug;daemon.notice;mail.crit\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/adm\/messages\r\n*.alert;kern.err;daemon.err\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 operator\r\n*.alert\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root<\/code><\/pre>\n
Example After:<\/p>\n
*.err;kern.notice;auth.notice\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/dev\/sysmsg\r\n*.err;kern.debug;daemon.notice;mail.crit\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/adm\/messages\r\n*.alert;kern.err;daemon.err\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 operator\r\n*.alert\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 root\r\nauth.info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 \/var\/adm\/authlog<\/strong><\/code><\/pre>\n
5. Restart the syslogd daemon as follows:<\/p>\n
# svcadm restart system-log<\/code><\/pre>\n
6. Verify the syslog service is online:<\/p>\n
# svcs system-log<\/strong>\r\nSTATE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 STIME\u00a0\u00a0\u00a0 FMRI\r\nonline\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10:01:21 svc:\/system\/system-log:default<\/code><\/pre>\n
7. Make sure your logserver is setup to resolve the system IP addresses through either local files or DNS. If local files, make this entry in your \/etc\/hosts file for the remote server that will be sending syslog messages:<\/p>\n
10.100.0.186\u00a0\u00a0\u00a0 solaris<\/code><\/pre>\n
II. Perform These Steps On the Server Named \u201csolaris\u201d <\/u><\/strong><\/p>\n
8. Make sure the \/etc\/hosts file contains an entry for the logserver as follows:<\/p>\n
10.100.0.187\u00a0\u00a0\u00a0 logserver loghost<\/code><\/pre>\n
9. After a reboot, or svcadm restart system-log, make sure there are no error messages in the \/var\/adm\/messages file from syslogd like this:<\/p>\n
syslogd:\u00a0 WARNING: loghost could not be resolved<\/code><\/pre>\n
10. You should be able to ping loghost as follows:<\/p>\n
root@solaris \/$ ping loghost<\/strong>\r\nloghost is alive<\/code><\/pre>\n
11.\u00a0 Uncomment the following line in the \/etc\/syslog.conf file:<\/p>\n
# auth.info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ifdef(`LOGHOST', \/var\/log\/authlog, @loghost)<\/code><\/pre>\n
Example Before:<\/p>\n
# auth.info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ifdef(`LOGHOST', \/var\/log\/authlog, @loghost)<\/code><\/pre>\n
Example After:<\/p>\n
auth.info\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ifdef(`LOGHOST', \/var\/log\/authlog, @loghost)<\/code><\/pre>\n
12.\u00a0 Restart the syslogd daemon as follows:<\/p>\n
# svcadm restart system-log<\/strong><\/code><\/pre>\n
13.\u00a0 Verify the service is online as follows:<\/p>\n
# svcs system-log<\/strong>\r\nSTATE\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 STIME\u00a0\u00a0\u00a0 FMRI\r\nonline\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10:01:21 svc:\/system\/system-log:default<\/code><\/pre>\n
III. Test the setup<\/u><\/strong><\/p>\n
For the test, you\u2019ll open (4) terminal sessions.<\/p>\n
Terminal 1<\/u>: Open a terminal window to the \u201csolaris\u201d server and type:<\/p>\n
root@solaris \/# snoop port 514<\/strong><\/p>\n
<leave this running in the terminal window><\/p>\n
 <\/p>\n
Terminal 2<\/u>: Open a terminal window to the \u201clogserver\u201d server and type:<\/p>\n
root@logserver \/# snoop solaris<\/strong><\/pre>\n
<leave this running in the terminal window><\/p>\n
Terminal 3<\/u>: Open a terminal window to the \u201clogserver\u201d server and type:<\/p>\n
root@logserver \/# tail -f \/var\/adm\/authlog<\/strong><\/pre>\n
<leave this running in the terminal window.\u00a0 You will actively watch the \/var\/adm\/authlog file for new entries><\/p>\n
Terminal 4<\/u>:\u00a0 Use putty or some other terminal window to ssh to the \u201csolaris\u201d(10.100.0.186) server as follows:<\/p>\n
$ ssh root@solaris<\/strong>\r\nType password<\/pre>\n
When you enter the password in Terminal 4, the following should happen in the other terminal windows:<\/p>\n
Terminal 1: You should see the following message (in red) that indicates \u201csolaris\u201d is sending syslog messages over port 514 to the \u201clogserver\u201d<\/p>\n
# snoop port 514\r\nUsing device e1000g0 (promiscuous mode)\r\n\u00a0\u00a0\u00a0 solaris -> logserver\u00a0\u00a0\u00a0 SYSLOG C port=32779 auth.info: <38>Aug 22 10:57:28<\/pre>\n
Terminal 2:\u00a0 On the loghost, you should see the following messages (in red) coming from the \u201csolaris\u201d server indicating that \u201clogserver\u201d is receiving messages from syslogd on\u00a0 the remote \u201csolaris\u201d host:<\/p>\n
# snoop solaris\r\nUsing device e1000g0 (promiscuous mode)\r\n\u00a0\u00a0\u00a0\u00a0 solaris -> logserver\u00a0\u00a0\u00a0 SYSLOG C port=32779 auth.info: <38>Aug 22 11:00:57<\/span>\r\n\u00a0\u00a0 logserver -> solaris\u00a0\u00a0\u00a0\u00a0\u00a0 TCP D=32797 S=22 Push Ack=220090959 Seq=1393572300 Len=128 Win=49640<\/span>\r\n\u00a0\u00a0\u00a0\u00a0 solaris -> logserver\u00a0\u00a0\u00a0 TCP D=22 S=32797 Ack=1393572428 Seq=220090959 Len=0 Win=49640<\/span>\r\n\u00a0\u00a0 logserver -> solaris\u00a0\u00a0\u00a0\u00a0\u00a0 TCP D=32797 S=22 Push Ack=220090959 Seq=1393572428 Len=240 Win=49640<\/span>\r\n\u00a0\u00a0\u00a0\u00a0 solaris -> logserver\u00a0\u00a0\u00a0 TCP D=22 S=32797 Ack=1393572668 Seq=220090959 Len=0 Win=49640<\/span>\r\n\u00a0\u00a0 logserver -> solaris\u00a0\u00a0\u00a0\u00a0\u00a0 TCP D=32797 S=22 Push Ack=220090959 Seq=1393572668 Len=240 Win=49640<\/span>\r\n\u00a0\u00a0\u00a0\u00a0 solaris -> logserver\u00a0\u00a0\u00a0 TCP D=22 S=32797 Ack=1393572908 Seq=220090959 Len=0 Win=49640<\/span><\/pre>\n
In Terminal 2, press ctrl+C to stop snoop from executing.<\/p>\n
Terminal 3: You should see the following message added to the \/var\/adm\/authlog file:<\/p>\n
Aug 22 11:24:15 solaris sshd[931]: [ID 800047 auth.info] Accepted keyboard-interactive for root from 10.100.0.186 port 32800 ssh2<\/pre>\n
If you intentionally enter the wrong password in Terminal 4, the following message gets logged to \/var\/adm\/authlog:<\/p>\n
Aug 22 11:24:06 solaris sshd[931]: [ID 800047 auth.info] Keyboard-interactive (PAM) userauth failed[9] while authenticating: Authentication failed<\/pre>\n
 <\/p>\n
 <\/p>\n","protected":false},"excerpt":{"rendered":"
Description: Setup a server to send syslog messages to a central syslog server Setup:\u00a0For the example, I’ll use two virtual servers in VirtualBox. \u201csolaris\u201d will be the host sending syslog […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"footnotes":""},"categories":[13,19,66],"tags":[67,68],"class_list":["post-2160","post","type-post","status-publish","format-standard","hentry","category-solaris-11","category-solaris10","category-syslog","tag-central-syslog-server","tag-solaris-syslog"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9J8F7-yQ","_links":{"self":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts\/2160","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/comments?post=2160"}],"version-history":[{"count":3,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts\/2160\/revisions"}],"predecessor-version":[{"id":2165,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts\/2160\/revisions\/2165"}],"wp:attachment":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/media?parent=2160"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/categories?post=2160"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/tags?post=2160"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}