{"id":2169,"date":"2018-08-28T13:15:36","date_gmt":"2018-08-28T17:15:36","guid":{"rendered":"https:\/\/unixed.com\/?p=2169"},"modified":"2019-07-24T17:20:43","modified_gmt":"2019-07-24T21:20:43","slug":"working-with-rsyslog-in-solaris-11","status":"publish","type":"post","link":"https:\/\/unixed.com\/index.php\/2018\/08\/28\/working-with-rsyslog-in-solaris-11\/","title":{"rendered":"Working with rsyslog in Solaris 11"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-post\" data-elementor-id=\"2169\" class=\"elementor elementor-2169\" data-elementor-post-type=\"post\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-22adfb16 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"22adfb16\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-2e279fee\" data-id=\"2e279fee\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-374ab70c elementor-widget elementor-widget-text-editor\" data-id=\"374ab70c\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<!-- wp:paragraph -->\n<p>In this exercise you will:<\/p>\n<ul>\n<li>Install rsyslog and setup rsyslog to log messages to individual log files.\u00a0<\/li>\n<li>You\u2019ll setup a central rsyslog server and configure an rsyslog client to send messages to the central server.<\/li>\n<li>You&#8217;ll also learn to customize the message format using templates.<\/li>\n<\/ul>\n<!-- \/wp:paragraph --><!-- wp:paragraph -->\n<p><strong>Setup:<\/strong><br \/>Perform this exercise on any system that has access to a pkg repository so you can install the rsyslog package. <br \/>For this example, I\u2019ve setup two virtual solaris systems in VirtualBox. <br \/>A central log server: hostname logserver IP 10.100.0.189 <br \/>A remote client: hostname solaris IP 10.100.0.191<\/p>\n<!-- \/wp:paragraph --><!-- wp:heading {\"level\":4} -->\n<p>I. Perform these steps on the host named &#8220;logserver&#8221;<\/p>\n<!-- \/wp:heading --><!-- wp:list {\"ordered\":true} -->\n<p>\u00a0<\/p>\n<p>1.\u00a0 First set the hostname to logserver and type:<\/p>\n<!-- \/wp:list --><!-- wp:code -->\n<pre class=\"wp-block-code\"><code># hostname logserver<\/code><\/pre>\n<!-- \/wp:code --><!-- wp:paragraph -->\n<p>If using DHCP,\u00a0 make an entry in \/etc\/nodename to make the hostname persistent as follows:<\/p>\n<pre>logserver<\/pre>\n<p>2. Check for the rsyslog pkg:<\/p>\n<pre># <strong>pkg list rsyslog<\/strong><br \/>pkg list: No packages matching 'rsyslog' installed<\/pre>\n<p>3. Make sure you have access to a package repository<\/p>\n<pre># <strong>pkg publisher<\/strong><br \/>PUBLISHER  TYPE     STATUS   P  LOCATION<br \/>solaris    origin   online   F  file:\/\/\/IPS\/11.4\/<\/pre>\n<p>4. If the package is not installed, install it as follows:<\/p>\n<pre># <strong>pkg install rsyslog<\/strong><br \/>Packages to install: 4<br \/>Services to change: 1<br \/>Create boot environment: No<br \/>Create backup boot environment: No<br \/><br \/>Planning linked: 0\/1 done; 1 working: zone:zonea<br \/>Linked image 'zone:zonea' output:<br \/>`<br \/>Planning linked: 1\/1 done<br \/>DOWNLOAD PKGS FILES XFER (MB) SPEED<br \/>Completed 4\/4 309\/309 2.9\/2.9 0B\/s<br \/><br \/>Downloading linked: 0\/1 done; 1 working: zone:zonea<br \/>Downloading linked: 1\/1 done<br \/>PHASE ITEMS<br \/>Installing new actions 426\/426<br \/>Updating package state database Done<br \/>Updating package cache 0\/0<br \/>Updating image state Done<br \/>Creating fast lookup database Done<br \/>Executing linked: 0\/1 done; 1 working: zone:zonea<br \/>Executing linked: 1\/1 done<br \/>Updating package cache 1\/1<\/pre>\n<p>4. Disable the syslog daemon:<\/p>\n<pre># <strong>svcadm disable svc:\/system\/system-log:default<\/strong><\/pre>\n<p>5. Make a copy of the \/etc\/rsyslog.conf file<\/p>\n<pre># <strong>cp \/etc\/rsyslog.conf \/etc\/rsyslog.conf.ORG<\/strong><\/pre>\n<p>6. Use the vi editor to edit the \/etc\/rsyslog.conf file.\u00a0 \u00a0Locate this section of the file (approx. line 24):<\/p>\n<pre># Log all the auth, daemon &amp; mail messages in one place.<br \/>auth.* \/var\/log\/auth.log<br \/>daemon.* \/var\/log\/daemon.log<br \/>mail.* \/var\/log\/mail.log<\/pre>\n<p>7. Make these modifications (in red) to the file:<\/p>\n<pre># Log all the auth, daemon &amp; mail messages in one place.<br \/>auth.* \/var\/log\/auth.log<br \/>daemon.* \/var\/log\/daemon.log<br \/>mail.* \/var\/log\/mail.log<br \/><span style=\"color: #ff0000;\">mail.info \/var\/log\/mail.info<\/span><br \/><span style=\"color: #ff0000;\">mail.warn \/var\/log\/mail.warn<\/span><br \/><span style=\"color: #ff0000;\">mail.err \/var\/log\/mail.err<\/span><br \/><span style=\"color: #ff0000;\">daemon.* \/var\/log\/daemon.log<\/span><br \/><span style=\"color: #ff0000;\">kern.* \/var\/log\/kern.log<\/span><br \/><span style=\"color: #ff0000;\">user.* \/var\/log\/user.log<\/span><\/pre>\n<!-- \/wp:paragraph -->\n<p>8. Locate this section of the \/etc\/rsyslog.conf file (at the end of the file) and uncomment the lines highlighted in red:<\/p>\n<pre># ######### Receiving Messages from Remote Hosts ##########\n# TCP Syslog Server:\n# provides TCP syslog reception and GSS-API\n<span style=\"color: #ff0000;\">$ModLoad imtcp.so<\/span>       # load module\n<span style=\"color: #ff0000;\">$InputTCPServerRun 514<\/span>  # start up TCP listener at port 514\n \n# UDP Syslog Server:\n<span style=\"color: #ff0000;\">$ModLoad imudp.so <\/span>      # provides UDP syslog reception\n<span style=\"color: #ff0000;\">$UDPServerAddress * <\/span>    # listen to all IP addresses\n<span style=\"color: #ff0000;\">$UDPServerRun 514<\/span>       # start a UDP syslog server at standard port 514<\/pre>\n<p>9. Enable the rsyslog service as follows:<\/p>\n<pre># <strong>svcadm enable svc:\/system\/system-log:rsyslog<\/strong><\/pre>\n<p>10. Reboot the system and notice the new system messages on the console during the boot process:<\/p>\n<pre># <strong>init 6<\/strong> <\/pre>\n<p>11. Login and change to the \/var\/log directory and view the new log files:<\/p>\n<pre>auth.log <br \/>kern.log <br \/>misc.log <br \/>daemon.log <br \/>mail.info <br \/>mail.log <br \/>user.log <br \/><br \/><\/pre>\n<p>12. From a remote system, ssh into the server named logserver and check the \/var\/log\/auth.log file for an entry like this:<\/p>\n<pre>Aug 28 07:21:10 solaris sshd[1208]: [ID 800047 auth.info] Accepted keyboard-interactive\/pam for root from 10.10.0.5 port 62192 ssh2<\/pre>\n<h4>II. Setup Remote Logging to a Central Host<\/h4>\n<p>Perform these steps on a remote client, for this example, my remote client is named &#8220;solaris.&#8221;\u00a0 You\u2019ll configure rsyslog on this client to send messages to a remote server named \u201clogserver\u201d<\/p>\n<p>13. Make sure rsyslog is installed on this client, the rsyslog service is enabled and syslog is disabled as described in steps 1-5<\/p>\n<p>14. Use the vi editor to edit the \/etc\/rsyslog.conf file.<br \/>Locate this section of the file (approx. lines 37-47) and make the changes I\u2019ve highlighted in red:<\/p>\n<pre><br \/># Remote Logging (we use TCP for reliable delivery)<br \/># An on-disk queue is created for this action. If the remote host is<br \/># down, messages are spooled to disk and sent when it is up again.<br \/><span style=\"color: #ff0000;\">$WorkDirectory \/var\/spool\/rsyslog<\/span> # where to place spool files<br \/><span style=\"color: #ff0000;\">$ActionQueueFileName uniqName<\/span> # unique name prefix for spool files<br \/><span style=\"color: #ff0000;\">$ActionQueueMaxDiskSpace 1g<\/span> # 1gb space limit (use as much as possible)<br \/><span style=\"color: #ff0000;\">$ActionQueueSaveOnShutdown<\/span> on # save messages to disk on shutdown<br \/><span style=\"color: #ff0000;\">$ActionQueueType LinkedList<\/span> # run asynchronously<br \/><span style=\"color: #ff0000;\">$ActionResumeRetryCount -1<\/span> # infinite retries if host is down<br \/># remote host is: name\/ip:port, e.g. 192.168.0.1:514, port optional<br \/><span style=\"color: #ff0000;\">*.* @@logserver:514<\/span><\/pre>\n<p>Note: The above section instructs the rsyslog daemon to send all log messages, regardless of the facility or severity, to the host named logserver (IP address can also be used) via 514\/TCP port. <br \/>The logserver is prefixed with either @@ or @. @@=TCP, @=UDP<br \/>If you only wanted to send specific log messages, for instance, assuming you want to send only a specific facility message to a remote log server, such as all related mail messages regardless of the priority level, add the below line to rsyslog configuration file:<br \/>mail.* @logserver:514<\/p>\n<p>15. Make an entry in the \/etc\/hosts file for logserver<\/p>\n<pre>\u00a0\u00a0\u00a0\u00a0 logserver<\/pre>\n<p>16. Restart the rsyslog service as follows:<\/p>\n<pre># <strong>svcadm restart svc:\/system\/system-log:rsyslog<\/strong><\/pre>\n<h4>Watch the rsyslog activity on the logserver<\/h4>\n<p>Use either snoop or wireshark (tshark) to watch the network activity for port 514 (rsyslog messages). For this example we\u2019ll use snoop<\/p>\n<p>17. Start the snoop utility on the logserver as follows:<\/p>\n<pre># <strong>snoop port 514<\/strong> <br \/>Using device net0 (promiscuous mode)<\/pre>\n<p>As messages get sent to the logserver from the client, you\u2019ll see activity similar to this:<\/p>\n<pre>10.100.0.189 -&gt; 10.100.0.191 RSHELL C port=33277 &lt;39&gt;Aug 28 07:59:18<br \/>10.100.0.191 -&gt; 10.100.0.189 RSHELL R port=33277<\/pre>\n<p>You can also use tshark (terminal version of wireshark) if it\u2019s installed as follows:<\/p>\n<pre># <strong>tshark -f \"tcp port 514\"<\/strong><br \/>Capturing on 'net0'<br \/>1 0.000000 10.100.0.189 ? 10.100.0.191 RSH 316 Client -&gt; Server data<br \/>2 0.068643 10.100.0.191 ? 10.100.0.189 TCP 66 514 ? 61615 [ACK] Seq=1 Ack=251 Win=64074 Len=0 TSval=334322 TSecr=260944<br \/>3 6.841524 10.100.0.189 ? 10.100.0.191 RSH 205 Client -&gt; Server data<br \/>4 6.898634 10.100.0.191 ? 10.100.0.189 TCP 66 514 ? 61615 [ACK] Seq=1 Ack=390 Win=64074 Len=0 TSval=335005 TSecr=261628<\/pre>\n<p>18. Reboot the client and watch the \/var\/log\/daemon.log file on the logserver and notice that all of the boot messages are getting logged in that file. Each entry has the client\u2019s hostname as follows:<\/p>\n<pre>Aug 28 07:54:30 solaris devchassisd[863]: [ID 752255 daemon.info] devchassis daemon started.<\/pre>\n<p>19. When the client reboots, you\u2019ll see several messages in the snoop session as boot messages get transferred to the logserver.<\/p>\n<h4>Using Custom Templates with rsyslog<\/h4>\n<p>The default message template in Solaris is specified by the following entry located near the top of the \/etc\/rsyslog.conf file:<\/p>\n<pre>$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat<\/pre>\n<p>The above string will generate a message that is similar to the syslogd style message which looks like this:<\/p>\n<pre>Aug 28 08:45:43 solaris sshd[1159]: [ID 800047 auth.info] Accepted keyboard-interactive\/pam for root from 10.100.0.191 port 45171 ssh2<\/pre>\n<p>\u00a0<\/p>\n<p>Specify a custom message format by using the $template statement in the rsyslog.conf file as follows:<\/p>\n<pre>$template precise,\"%syslogseverity-text%,%syslogfacility-text%,%timegenerated%,%HOSTNAME%,%syslogtag%,%msg%\\n\"<\/pre>\n<p>Apply this template to a message as follows:<\/p>\n<pre>auth.* \/var\/log\/auth.log;precise<\/pre>\n<p>This will generate a message that looks like this:<\/p>\n<pre><br \/>info,auth,Aug 28 10:14:37,solaris,sshd[1408]:, [ID 800047 auth.info] Accepted keyboard-interactive\/pam for root from 10.10.0.5 port 64069 ssh2<\/pre>\n<p>All of the properties available for customizing your template can be found here:<br \/><a href=\"https:\/\/www.rsyslog.com\/doc\/v7-stable\/configuration\/properties.html\">https:\/\/www.rsyslog.com\/doc\/v7-stable\/configuration\/properties.html<\/a><\/p>\n<!-- wp:paragraph -->\n<p>\u00a0<\/p>\n<!-- \/wp:paragraph -->\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-dd8f747 elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"dd8f747\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-f6404ce\" data-id=\"f6404ce\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-431f34d elementor-widget elementor-widget-text-editor\" data-id=\"431f34d\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t<p>For more information on Solaris 11 system messaging, syslog and rsyslog, check out my 40 minute training video titled &#8220;<a href=\"https:\/\/unixed.com\/index.php\/video-courses\/#admin1topics\">Configure and Manage System Messages<\/a>&#8221; where I explain and demonstrate the entire process. I even provide hands on lab exercises for you to work on to help it sink in.<\/p>\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>In this exercise you will: Install rsyslog and setup rsyslog to log messages to individual log files.\u00a0 You\u2019ll setup a central rsyslog server and configure an rsyslog client to send [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"site-sidebar-layout":"default","site-content-layout":"default","ast-site-content-layout":"","site-content-style":"default","site-sidebar-style":"default","ast-global-header-display":"","ast-banner-title-visibility":"","ast-main-header-display":"","ast-hfb-above-header-display":"","ast-hfb-below-header-display":"","ast-hfb-mobile-header-display":"","site-post-title":"","ast-breadcrumbs-content":"","ast-featured-img":"","footer-sml-layout":"","theme-transparent-header-meta":"default","adv-header-id-meta":"","stick-header-meta":"","header-above-stick-meta":"","header-main-stick-meta":"","header-below-stick-meta":"","astra-migrate-meta-layouts":"default","ast-page-background-enabled":"default","ast-page-background-meta":{"desktop":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"ast-content-background-meta":{"desktop":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"tablet":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""},"mobile":{"background-color":"var(--ast-global-color-5)","background-image":"","background-repeat":"repeat","background-position":"center center","background-size":"auto","background-attachment":"scroll","background-type":"","background-media":"","overlay-type":"","overlay-color":"","overlay-gradient":""}},"footnotes":""},"categories":[13,66],"tags":[71,72],"class_list":["post-2169","post","type-post","status-publish","format-standard","hentry","category-solaris-11","category-syslog","tag-solaris-rsyslog","tag-solaris-rsyslogd"],"aioseo_notices":[],"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9J8F7-yZ","_links":{"self":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts\/2169","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/comments?post=2169"}],"version-history":[{"count":8,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts\/2169\/revisions"}],"predecessor-version":[{"id":2756,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/posts\/2169\/revisions\/2756"}],"wp:attachment":[{"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/media?parent=2169"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/categories?post=2169"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/unixed.com\/index.php\/wp-json\/wp\/v2\/tags?post=2169"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}