12 Replies Latest reply: Jul 1, 2009 2:56 AM by 807567 RSS

    Sending syslog to remote server

    807567
      Solaris 10

      How can I get user login attempts sent to a sys log server? I have tried the following in the syslog.conf file:

      auth.*@hostname

      auth.notice@hostname

      and

      auth.* <tab> @hostname

      nothing is being sent to my syslog server although syslogd -d gives no errors.

      Please help - Donald
        • 1. Re: Sending syslog to remote server
          807567
          Hi,

          Have you done a refresh of the service to re-read the syslog.conf file?
          svcadm refresh svc:/system/system-log:default
          Have you tried with the IP of your syslog server instead of the hostname?

          (I believe your last try is the good one : auth.*<tab>@hostname)

          Groucho_fr
          • 2. Re: Sending syslog to remote server
            807567
            auth.*<tab>@hostname

            gives me an unknown priority error.
            • 3. Re: Sending syslog to remote server
              807567
              and this : auth.notice<tab>@hostname ?
              • 4. Re: Sending syslog to remote server
                807567
                That gives no errors but no messages to the syslog device. What would that show? The output of 'last' or just failed attempts?

                -Thanks
                • 5. Re: Sending syslog to remote server
                  user4994457
                  * isn't a valid priority in Solaris syslog. Use 'debug' to get debug and above, which would be all messages.

                  auth.debug @hostname

                  --
                  Darren
                  • 6. Re: Sending syslog to remote server
                    807567
                    I still get no messages on my syslog server. Do you know how I can test the logs?

                    -Thanks
                    • 7. Re: Sending syslog to remote server
                      user4994457
                      'logger' is a way to send a message to syslog with whatever facility and priority you want.
                      logger -p auth.notice your message
                      You can run syslogd in debug mode to see some of the configuration stuff, but your setup seems rather simple.

                      You can run 'snoop' on the interface to see if you see syslog packets leaving the server
                      snoop udp port 514
                      Is it possible your remote syslog server is not listening for remote syslog information?
                      --
                      Darren
                      • 8. Re: Sending syslog to remote server
                        Robert Cohen
                        Try

                        svccfg -s system-log setprop config/log_from_remote=true
                        svcadm restart system-log

                        On the remote system.

                        This is assuming its Solaris 10
                        • 9. Re: Sending syslog to remote server
                          807567
                          Just a small precision to be sure we are in the good way. You have to put at least one <tab> ( no space )
                          between the facility.level and the action field. So if I take the good suggestion of Darren, you have to put.

                          auth.debug<tab>@hostname

                          Otherwise you will have an error " unknown priority name" (just tested) or will not work anyway.

                          @robert.cohen : really nice!!! surely I will use this.

                          Groucho_fr
                          • 10. Re: Sending syslog to remote server
                            807567
                            Hi

                            I have same issue; if I set the *.info (all events) the remote logon attempt is received by my syslog server as system3.info

                            However cannot find a match for system3 in the list of allowed facilities.

                            if i use the auth.info I can recieve messages when the su command is used remotely and when Root logs on locally.

                            Can someone suggest the correct field to send remote connection attempts?
                            • 11. Re: Sending syslog to remote server
                              807567
                              Hi

                              think I have sorted this. If you use audit.notice instead of auth.notice (not listed in docs) it works. trial and error
                              • 12. Re: Sending syslog to remote server
                                807567
                                Hello,

                                try auth.debugtab>@loghost-ip or auth.info<tab>@loghost-ip

                                # cat syslog.conf
                                #ident  "@(#)syslog.conf        1.5     98/12/14 SMI"   / *SunOS 5.0* /
                                #
                                # syslog configuration file.
                                #-----
                                # Solaris 10 - Syslog
                                #-----
                                #
                                *.err;kern.notice;auth.notice                           /dev/sysmsg*
                                .info;kern.debug;mail.none;auth.none;cron.none;local0.none;local1.none;local2.none;local3.none;local4.none;local5.none;local6.none;local7.none;        /var/adm/messages
                                *.debug                                                       @<ip 1>
                                *.debug                                                       @<ip 2>
                                local0.info                                             /var/adm/localmessages.log
                                local1.info                                             /var/adm/localmessages.log
                                local2.info                                             /var/adm/localmessages.log
                                local3.info                                             /var/adm/localmessages.log
                                local4.info                                             /var/adm/localmessages.log
                                local5.info                                             /var/adm/localmessages.log
                                local6.info                                             /var/adm/localmessages.log
                                local7.info                                             /var/adm/localmessages.log
                                auth.info                                               /var/adm/authlog
                                # cron.info                                             /var/adm/cron.log
                                mail.debug                                              /var/adm/mail
                                
                                
                                *.alert;kern.err;daemon.err                     operator*
                                .alert                                         root
                                *.emerg*                                         
                                
                                ifdef(`LOGHOST', ,
                                user.err                                        /dev/sysmsg
                                user.err                                        /var/adm/messages
                                user.alert                                      `root, operator'
                                user.emerg                                      *
                                )
                                Edited by: MangoJ on Jul 1, 2009 12:54 AM

                                Edited by: MangoJ on Jul 1, 2009 12:55 AM