Centralizing log data is a critical practice for system monitoring, security analysis, and troubleshooting. For Solaris 11.4 environments, configuring systems to forward their logs to a dedicated remote syslog server is a fundamental step in building a robust logging infrastructure. This process ensures that logs are stored securely off the source system and are readily available for analysis by SIEM systems or other log management tools.
The primary tool for managing logs on Solaris 11.4 is the syslog service, which is controlled via the Service Management Facility (SMF). The core configuration resides in the /etc/syslog.conf file. To send logs to a remote server, you need to modify this configuration file to include lines that specify which log messages should be forwarded and where they should be sent.
The syntax for forwarding logs is straightforward. You specify the facility and level of the messages you want to forward, followed by the destination. The destination for remote logging is typically specified using an @ symbol followed by the hostname or IP address of the remote syslog server. For example, to send all informational messages and above from all facilities to a server at 192.168.1.100, you would add a line like this:
*.info @192.168.1.100
You can be more granular by specifying specific facilities (e.g., mail, auth, daemon) and levels (e.g., debug, info, notice, warning, err, crit, alert, emerg). For instance, to send only authentication errors to the same server, the line would be:
auth.err @192.168.1.100
After making changes to the /etc/syslog.conf file, the syslog service needs to be updated to load the new configuration. This is done using the SMF command svcadm. The correct command to apply the changes without interrupting the service is:
svcadm refresh syslog
It’s also important to ensure that the syslog service is enabled and running. You can check its status with svcs syslog. If it’s disabled or offline, you can enable and start it with svcadm enable syslog.
Once the configuration is refreshed, the Solaris system will begin sending logs matching the specified criteria to the remote syslog server. It is crucial to verify on the remote server that the logs are being received correctly. Network firewalls must allow UDP port 514 (the default syslog port) traffic from the Solaris host to the remote server. For environments requiring higher security or guaranteed delivery, configuring syslog to use TCP or TLS (often on port 6514) should be considered, although this requires additional configuration on both the client and server sides and support from the syslog daemon.
By correctly configuring the /etc/syslog.conf and managing the syslog service with svcadm, Solaris 11.4 systems can be seamlessly integrated into a centralized logging infrastructure, significantly enhancing manageability and security posture.
Source: https://kifarunix.com/how-to-configure-syslog-to-send-logs-to-remote-syslog-server-on-solaris-11-4/
