Configuring Solaris Syslogd for Centralized log Setup


Syslogd is the daemon that continuously reads and forwards system messages to the appropriate log files or users, depending upon the priority of a message and the system facility from which it originates. The syslogd daemon reads the /etc/syslog.conf to process each and every system message and direct it to appropriate log file.

The default configuration for syslogd defined to log the system messages ( Warning / Notices / Errors)  within the same host.  But sometimes, for ease of administration and troubleshooting,  we might want to configure a single host as as a Centralized loghost and redirect the logs from other solaris machines to this one centralized host.  And configuring such kind of setup is not so difficult. I will explain you it here.

syslog-configuration

 

First let’s see how the default syslogd configuration works.

/etc/syslog.conf

As I mentioned earlier syslog deamon read /etc/syslog.conf before processing any system message that triggered within the solaris. And the  general structure of the syslog.conf reflects a set of selectors (facility.level) and actions.  The actions are generally the places to display or log the standard output.  For example, in syslog.conf, there may be several things being sent to /dev/sysmsg and /var/adm/messages.

A typical entry in syslog.conf looks like this

user.alert                                          /dev/sysmsg

Left side part is ” facility.level” and the right side part is the log destination. For example Below entry will auth.emerg and kern.crit events are logged in the same place (in the example below, the /logme file).

auth.emerg; kern.crit /logme

Also, the asterisk can be used to designate all facilities or all levels. This is useful when you want to log all events of a certain facility or level  to one file, or do something like this:

*.debug; mail.none /var/debuglog

which will send all debug events to the file /var/debuglog except mail.debug events.

List for Facilities, that can be used in syslog.conf:

  • user – Messages generated by user processes. This is the default priority for messages from programs or facilities not listed in this file.
  • kern – Messages generated by the kernel.
  • mail – The mail system.
  • daemon – System daemons, such as in.ftpd(1M)
  • auth – The authorization system: login, su, gett
  • lpr – The line printer spooling system: lpr(1B), lpc(1B), among others.
  • news – Designated for the USENET network news system.
  • cron – Designated for cron/at messages generated by systems that do logging through syslog. The current version of the Solaris Operating Environment does not use this facility for logging.
  • audit – Designated for audit messages generated by systems that audit by means of syslog.
  • local0-7 – Designated for local use.
  • mark – For timestamp messages produced internally by syslogd.
  • * – An asterisk indicates all facilities except for the mark facility.

Examples of Levels that can be used in syslog.conf:

  • emerg  –   For panic conditions that would normally be broadcast to all users.
  • alert  –  For conditions that should be corrected immediately, such as a corrupted system database.
  • crit  – For warnings about critical conditions, such as hard device errors.
  • err  –  For other errors.
  • warning  – For warning messages.
  • notice  –  For conditions that are not error conditions, but may require special handling. A configuration entry with a level value of notice must appear on a separate line.
  • info  – Informational messages.
  • debug  –  For messages that are normally used only when debugging a program.

 

Restart the Syslog daemon to reread the syslog.conf:

# svcadm refresh svc:/system/system-log:default

Running syslogd in debug mode, to troubleshoot logging issues

# svcadm enable svc:/system/system-log:default

# /usr/sbin/syslogd -d

you will see similar output as below if your configuration is valid :

getnets() found 1 addresses, they are: 0.0.0.0.2.2
off & running….
init
amiloghost() testing 129.151.30.223.2.2
cfline(*.err;kern.notice;auth.notice;user.none /dev/console)
cfline(*.err;kern.debug;daemon.notice;mail.crit;user.none /var/adm/messages)
cfline(*.alert;kern.err;daemon.err;user.none operator)
cfline(*.alert;user.none root)
cfline(*.emerg;user.none *)
cfline(auth.notice @loghost)
cfline(mail.debug @loghost)
cfline(user.err /dev/console)
cfline(user.err /var/adm/messages)
cfline(user.alert root, operator)
cfline(user.emerg *)
cfline(daemon.notice /dev/console)
cfline(daemon.notice sean)
cfline(daemon.notice @moog)
cfline(daemon.notice /nsr/logs/messages)
cfline(daemon.notice operator)
cfline(local0.notice /nsr/logs/summary)
cfline(local0.alert root, operator)

If you have an invalid entries you will see something like below

getnets() found 1 addresses, they are: 0.0.0.0.2.2
off & running….
init
amiloghost() testing 129.151.30.223.2.2
cfline(*.err;kern.notice;auth.notice;user.none /dev/console)
cfline(*.err;kern.debug;daemon.notice;mail.crit;user.none /var/adm/messages)
cfline(*.alert;kern.err;daemon.err;user.none operator)
cfline(*.alert;user.none root)
cfline(*.emerg;user.none *)
cfline(auth.notice /var/log/authlog )
syslogd: /var/log/authlog : No such file or directory
logmsg: pri 53, flags 8, from superfreak, msg syslogd: /var/log/authlog : No such file or directory

 

Further troubleshooting using the logger command 

The /usr/bin/logger command can be used for troubleshooting and manual logging. For example, to send a message of priority auth.notice, use the syntax:

# logger -p daemon.notice “test”

A tail of /var/adm/messages will show the test message:

# tail /var/adm/messages

Mar 1 17:01:52 persia gurkulsolaris: [ID 702911 daemon.notice] test

 

Now we will see how to configure the Centralized Log Setup:

All you need to do here is send the syslog messages to a remote host by specifying that host in the action field as shown below:

auth.notice @loghost

or

auth.notice @gurkullogserver

Note : You need to make sure that the hostname is referring the IP of the centralized log server. Just for  verification you can run the command

 # ping -s loghost

And make the modifications necessary to the syslog.conf file on the centralized system you want to log. And please remember that the facility you log to the remote host will be logged according to how the action field is set up on the remote system. You must restart syslogd for changes to take effect.

just in case if you want to setup multiple targets to the system messages

If you want to sent the Authentication Messages for both the loghost and local authlog, you can configure multiple targets by using either one below format.

auth.notice                             ifdef(`LOGHOST’, /var/log/authlog, @loghost)

Or

auth.notice                            /var/log/authlog
auth.notice                            @loghost

 

Troubleshoot Syslog issues in Centralized log environment

You can use the same troubleshooting mentioned about, and in addition to that you can also use the snoop tool to check the syslog traffic between your solaris hosts and centralized log server , while running a logger command. That will tell you whether the local syslog really trying to reach the centralized syslog server or not.

#snoop udp between myserver  gurkullogserver
Using device /dev/hme (promiscuous mode)
myserver  -> gurkullogserver SYSLOG C port=35725 <37>May 1 10:42:33
myserver  -> gurkullogserver SYSLOG C port=35725 <34>May 1 10:45:12

 

Ok. That’s it for the post.

 

 

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

4 Responses

  1. Arun says:

    If we give @loghost, how will it get logged in remote server.?? In which location it would update the logs.??

    please clarify

  2. Okieh says:

    How about configuring standard Solaris syslog to send towards a different remote port?

  1. January 11, 2014

    […] things being sent to /dev/sysmsg and /var/adm/messages. A typical entry in syslog.conf looks like [ Read More […]

  2. September 15, 2015

    […] Configuring Solaris Syslogd for Centralized log Setup […]

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us