This content has been marked as final. Show 12 replies
Have you done a refresh of the service to re-read the syslog.conf file?
Have you tried with the IP of your syslog server instead of the hostname?
svcadm refresh svc:/system/system-log:default
(I believe your last try is the good one : auth.*<tab>@hostname)
gives me an unknown priority error.
and this : auth.notice<tab>@hostname ?
That gives no errors but no messages to the syslog device. What would that show? The output of 'last' or just failed attempts?
* isn't a valid priority in Solaris syslog. Use 'debug' to get debug and above, which would be all messages.
I still get no messages on my syslog server. Do you know how I can test the logs?
'logger' is a way to send a message to syslog with whatever facility and priority you want.
You can run syslogd in debug mode to see some of the configuration stuff, but your setup seems rather simple.
logger -p auth.notice your message
You can run 'snoop' on the interface to see if you see syslog packets leaving the server
Is it possible your remote syslog server is not listening for remote syslog information?
snoop udp port 514
svccfg -s system-log setprop config/log_from_remote=true
svcadm restart system-log
On the remote system.
This is assuming its Solaris 10
Just a small precision to be sure we are in the good way. You have to put at least one <tab> ( no space )
between the facility.level and the action field. So if I take the good suggestion of Darren, you have to put.
Otherwise you will have an error " unknown priority name" (just tested) or will not work anyway.
@robert.cohen : really nice!!! surely I will use this.
I have same issue; if I set the *.info (all events) the remote logon attempt is received by my syslog server as system3.info
However cannot find a match for system3 in the list of allowed facilities.
if i use the auth.info I can recieve messages when the su command is used remotely and when Root logs on locally.
Can someone suggest the correct field to send remote connection attempts?
think I have sorted this. If you use audit.notice instead of auth.notice (not listed in docs) it works. trial and error
try auth.debugtab>@loghost-ip or auth.info<tab>@loghost-ip
# cat syslog.conf
Edited by: MangoJ on Jul 1, 2009 12:54 AM
#ident "@(#)syslog.conf 1.5 98/12/14 SMI" / *SunOS 5.0* / # # syslog configuration file. #----- # Solaris 10 - Syslog #----- # *.err;kern.notice;auth.notice /dev/sysmsg* .info;kern.debug;mail.none;auth.none;cron.none;local0.none;local1.none;local2.none;local3.none;local4.none;local5.none;local6.none;local7.none; /var/adm/messages *.debug @<ip 1> *.debug @<ip 2> local0.info /var/adm/localmessages.log local1.info /var/adm/localmessages.log local2.info /var/adm/localmessages.log local3.info /var/adm/localmessages.log local4.info /var/adm/localmessages.log local5.info /var/adm/localmessages.log local6.info /var/adm/localmessages.log local7.info /var/adm/localmessages.log auth.info /var/adm/authlog # cron.info /var/adm/cron.log mail.debug /var/adm/mail *.alert;kern.err;daemon.err operator* .alert root *.emerg* ifdef(`LOGHOST', , user.err /dev/sysmsg user.err /var/adm/messages user.alert `root, operator' user.emerg * )
Edited by: MangoJ on Jul 1, 2009 12:55 AM