This discussion is archived
12 Replies Latest reply: Jul 1, 2009 12:56 AM by 807567 RSS

Sending syslog to remote server

807567 Newbie
Currently Being Moderated
Solaris 10

How can I get user login attempts sent to a sys log server? I have tried the following in the syslog.conf file:

auth.*@hostname

auth.notice@hostname

and

auth.* <tab> @hostname

nothing is being sent to my syslog server although syslogd -d gives no errors.

Please help - Donald
  • 1. Re: Sending syslog to remote server
    807567 Newbie
    Currently Being Moderated
    Hi,

    Have you done a refresh of the service to re-read the syslog.conf file?
    svcadm refresh svc:/system/system-log:default
    Have you tried with the IP of your syslog server instead of the hostname?

    (I believe your last try is the good one : auth.*<tab>@hostname)

    Groucho_fr
  • 2. Re: Sending syslog to remote server
    807567 Newbie
    Currently Being Moderated
    auth.*<tab>@hostname

    gives me an unknown priority error.
  • 3. Re: Sending syslog to remote server
    807567 Newbie
    Currently Being Moderated
    and this : auth.notice<tab>@hostname ?
  • 4. Re: Sending syslog to remote server
    807567 Newbie
    Currently Being Moderated
    That gives no errors but no messages to the syslog device. What would that show? The output of 'last' or just failed attempts?

    -Thanks
  • 5. Re: Sending syslog to remote server
    user4994457 Newbie
    Currently Being Moderated
    * isn't a valid priority in Solaris syslog. Use 'debug' to get debug and above, which would be all messages.

    auth.debug @hostname

    --
    Darren
  • 6. Re: Sending syslog to remote server
    807567 Newbie
    Currently Being Moderated
    I still get no messages on my syslog server. Do you know how I can test the logs?

    -Thanks
  • 7. Re: Sending syslog to remote server
    user4994457 Newbie
    Currently Being Moderated
    'logger' is a way to send a message to syslog with whatever facility and priority you want.
    logger -p auth.notice your message
    You can run syslogd in debug mode to see some of the configuration stuff, but your setup seems rather simple.

    You can run 'snoop' on the interface to see if you see syslog packets leaving the server
    snoop udp port 514
    Is it possible your remote syslog server is not listening for remote syslog information?
    --
    Darren
  • 8. Re: Sending syslog to remote server
    Robert Cohen Newbie
    Currently Being Moderated
    Try

    svccfg -s system-log setprop config/log_from_remote=true
    svcadm restart system-log

    On the remote system.

    This is assuming its Solaris 10
  • 9. Re: Sending syslog to remote server
    807567 Newbie
    Currently Being Moderated
    Just a small precision to be sure we are in the good way. You have to put at least one <tab> ( no space )
    between the facility.level and the action field. So if I take the good suggestion of Darren, you have to put.

    auth.debug<tab>@hostname

    Otherwise you will have an error " unknown priority name" (just tested) or will not work anyway.

    @robert.cohen : really nice!!! surely I will use this.

    Groucho_fr
  • 10. Re: Sending syslog to remote server
    807567 Newbie
    Currently Being Moderated
    Hi

    I have same issue; if I set the *.info (all events) the remote logon attempt is received by my syslog server as system3.info

    However cannot find a match for system3 in the list of allowed facilities.

    if i use the auth.info I can recieve messages when the su command is used remotely and when Root logs on locally.

    Can someone suggest the correct field to send remote connection attempts?
  • 11. Re: Sending syslog to remote server
    807567 Newbie
    Currently Being Moderated
    Hi

    think I have sorted this. If you use audit.notice instead of auth.notice (not listed in docs) it works. trial and error
  • 12. Re: Sending syslog to remote server
    807567 Newbie
    Currently Being Moderated
    Hello,

    try auth.debugtab>@loghost-ip or auth.info<tab>@loghost-ip

    # cat syslog.conf
    #ident  "@(#)syslog.conf        1.5     98/12/14 SMI"   / *SunOS 5.0* /
    #
    # syslog configuration file.
    #-----
    # Solaris 10 - Syslog
    #-----
    #
    *.err;kern.notice;auth.notice                           /dev/sysmsg*
    .info;kern.debug;mail.none;auth.none;cron.none;local0.none;local1.none;local2.none;local3.none;local4.none;local5.none;local6.none;local7.none;        /var/adm/messages
    *.debug                                                       @<ip 1>
    *.debug                                                       @<ip 2>
    local0.info                                             /var/adm/localmessages.log
    local1.info                                             /var/adm/localmessages.log
    local2.info                                             /var/adm/localmessages.log
    local3.info                                             /var/adm/localmessages.log
    local4.info                                             /var/adm/localmessages.log
    local5.info                                             /var/adm/localmessages.log
    local6.info                                             /var/adm/localmessages.log
    local7.info                                             /var/adm/localmessages.log
    auth.info                                               /var/adm/authlog
    # cron.info                                             /var/adm/cron.log
    mail.debug                                              /var/adm/mail
    
    
    *.alert;kern.err;daemon.err                     operator*
    .alert                                         root
    *.emerg*                                         
    
    ifdef(`LOGHOST', ,
    user.err                                        /dev/sysmsg
    user.err                                        /var/adm/messages
    user.alert                                      `root, operator'
    user.emerg                                      *
    )
    Edited by: MangoJ on Jul 1, 2009 12:54 AM

    Edited by: MangoJ on Jul 1, 2009 12:55 AM