Centralized logging is a cornerstone of effective system administration, security monitoring, and compliance. For systems running Solaris 11.4, leveraging the rsyslog utility provides a robust and flexible way to send critical log data to a remote log server. This practice moves logs off the source machine, significantly enhancing security by making them less susceptible to tampering if a system is compromised.
Configuring rsyslog on Solaris 11.4 for remote dispatch involves a few key steps, primarily focused on editing the main configuration file and ensuring the service is correctly managed by the Service Management Facility (SMF).
The journey begins with verifying the presence and status of the rsyslog service. Solaris 11.4 utilizes SMF to manage system services. You’ll need to ensure the rsyslog service is enabled and online. This is typically controlled via commands like svcadm enable rsyslog.
The heart of the configuration lies within the /etc/rsyslog.conf file. This is where you define what logs to send and where to send them. The file uses a directive-based syntax.
Log messages are filtered using selectors, which consist of a facility (like auth, mail, daemon) and a priority level (like info, warning, crit). For instance, mail.err selects all mail facility messages with an error priority or higher. A common practice for remote logging is to send all messages above a certain priority level.
To direct selected logs to a remote server, you specify the destination after the selector. The format depends on the desired transport protocol:
- For UDP (User Datagram Protocol), which is fast but unreliable (messages might be dropped), the format is
@hostname_or_IP:port. UDP typically uses port 514. Example:*.* @192.168.1.100:514. - For TCP (Transmission Control Protocol), which is slower but reliable (guarantees delivery), the format is
@@hostname_or_IP:port. TCP also commonly uses port 514 or sometimes 10514. Example:*.* @@logserver.mydomain.com:514.
Often, you will define multiple rules, sending different types of logs to potentially different destinations or keeping local copies as well. It’s crucial to ensure that your configuration does not create logging loops where messages are sent back to the same server they originated from or forwarded indefinitely between servers.
After making changes to /etc/rsyslog.conf, the rsyslog service must be reloaded or restarted for the changes to take effect. With SMF, this is typically done using svcadm restart rsyslog or svcadm refresh rsyslog (depending on the nature of the configuration change and rsyslog version/integration).
Once the service is restarted, it’s essential to verify that logs are being received on the remote log server. This involves checking the server’s log files or logging management system to confirm messages are arriving from your Solaris 11.4 system.
Implementing centralized logging with rsyslog on Solaris 11.4 provides invaluable benefits. It creates an aggregate view of system activity, simplifies monitoring across multiple servers, aids in faster incident response by having logs readily available, and helps meet various regulatory compliance requirements that mandate log retention and security. Sending logs off-host is a critical security measure to preserve audit trails even if a local system is compromised. By following these steps, you can effectively integrate your Solaris 11.4 systems into your centralized logging infrastructure.
Source: https://kifarunix.com/configure-rsyslog-on-solaris-11-4-to-send-logs-to-remote-log-server/
