Configure Rsyslog on Solaris 11.4 to Send logs to Remote Log Server

In this guide, we are going to learn how to configure rsyslog on Solaris 11.4 to send logs to remote log server.

Configuring Rsyslog on Solaris 11.4 to Send logs to Remote Log Server

Solaris 11.4 uses Native Syslog by Default

By default, Solaris 11.4 used the native syslog as the default log manager. You can verify this by running the command below;

svcs system-log

STATE          STIME    FMRI
disabled       22:20:47 svc:/system/system-log:rsyslog
online         19:23:06 svc:/system/system-log:default

As you can see, syslog log manager is online.

But wait, are you using the native syslog instead? check our link below on configuring syslog on Solaris 11.4

Configure Syslog on Solaris 11.4 for Remote Logging

You might as well want to check our article on configuring remote logging with rsyslog on Ubuntu 18.04 by following the link below;

• How to Configure Remote Logging with Rsyslog on Ubuntu 18.04
• Configure NXLog to Forward System Logs to Rsyslog Server on Ubuntu 18.04

Install Rsyslog on Solaris 11.4

In order to configure rsyslog on Solaris 11.4, you need to check if the package is installed.

pkg info system/rsyslog

           Name: system/rsyslog
        Summary: reliable and extended syslogd
    Description: Rsyslog is a reliable and extended syslog daemon implementation
                 with a modular design, supporting many features (e.g.,
                 filtering, TCP, encryption, high-precision time-stamps, output
                 control).
       Category: System/Administration and Configuration
          State: Installed
      Publisher: solaris
        Version: 8.15.0
         Branch: 11.4.0.0.1.14.0
 Packaging Date: August 14, 2018 at  5:28:45 PM
           Size: 6.72 MB
           FMRI: pkg://solaris/system/[email protected]:20180814T172845Z
    Project URL: http://www.rsyslog.com/
     Source URL: http://www.rsyslog.com/files/download/rsyslog/rsyslog-8.15.0.tar.gz
Project Contact: Rainer Gerhards

Well, in my case rsyslog is installed already. If however it is not installed already, you can run the command below to install it.

pkg install system/rsyslog

Disable Native Syslog on Solaris 11.4

Check the status of the Rsyslog;

svcs system-log

STATE          STIME    FMRI
disabled       15:46:54 svc:/system/system-log:rsyslog
online         15:47:10 svc:/system/system-log:default

As you can see, native Syslog is enabled, you need to disable it.

svcadm disable system/system-log:default

Enable Rsyslog on Solaris 11.4

Next, enable rsyslog and refresh the configurations

svcadm enable system/system-log:rsyslog

svcadm refresh system/system-log:rsyslog

Check that status to confirm the that Rsyslog active.

svcs -p rsyslog

STATE          STIME    FMRI
online         16:06:20 svc:/system/system-log:rsyslog
               16:06:20      1226 rsyslogd

Configure Rsyslog to Send Logs to Remote Server on Solaris 11.4

Proceed to configure Rsyslog on Solaris 11.4 to send logs of specific facility and priority to the remote central log management server.

The main configuration file for Rsyslog is /etc/rsyslog.conf.

For demonstration purposes, we are going to configure Rsyslog on Solaris 11.4 to send all information logs created by any facility to the remote log management server. The logs will be sent over UDP protocol, port 514. You can however use TCP as long as the remote log server is configured to receive logs over TCP protocol.

Verify Connection to Remote Rsyslog Log Server

Before you can proceed, verify that Solaris 11.4 server can communicate with remote log management server over UDP port 514. You can use netcat (nc) command to verify this.

On the Remote log manager, set netcat to listen on port 514 while on the Solaris 11.4 server, set netcat to connect to the remote log manager port 514.

On the remote log server, run:

nc -l 514

On Solaris 11.4 server, run (replace remote_server_IP with log server IP);

nc remote_server_IP 514

Press Enter on both sides.

Type anything on the Solaris 11.4 end and you should be able to see whatever you type on the remote shell.

Otherwise, fix the connection!

Configure Rsyslog to Send Logs to Remote Server on Solaris 11.4

After that, proceed to configure Rsyslog on Solaris 11.4 server.

vim /etc/rsyslog.conf

As already mentioned, we are sending only information logs!

...
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/spool/rsyslog      # where to place spool files
#$ActionQueueFileName uniqName  # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g    # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on  # save messages to disk on shutdown
#$ActionQueueType LinkedList    # run asynchronously
#$ActionResumeRetryCount -1     # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
*.info  @192.168.43.85:514    # Send Logs over UDP port 514
...

Restart Rsyslog Service

Restart Rsyslog to effect the changes.

svcadm restart system/system-log:rsyslog

Test Remote Logging on Solaris 11.4

Perform log test using logger command.

Before you can execute the testing run tcpdump command on the remote log server to confirm the reception of the logs.

tcpdump -i any -nn -vv udp port 514 and host 192.168.43.181

Where 192.168.43.181 is the IP of the Solaris server sending logs to remote log server.

On the Solaris 11.4 server, simulate logging using logger command.

logger -p local7.info "Hello remote log server, I am Solaris 11.4, can you see my logs?"

If everything is okay, you should see the logs on the remote server tcpdump;

tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
11:21:17.032859 enp0s8 In  IP (tos 0x0, ttl 255, id 5552, offset 0, flags [none], proto UDP (17), length 156)
    192.168.43.181.61989 > 192.168.43.85.514: [udp sum ok] SYSLOG, length: 128
	Facility local7 (23), Severity info (6)
	Msg: Jan 13 16:21:15 solaris kifarunix: [ID 702911 local7.info] Hello remote log server, I am Solaris 11.4, can you see my logs? 
	0x0000:  3c31 3930 3e4a 616e 2031 3320 3136 3a32
	0x0010:  313a 3135 2073 6f6c 6172 6973 206b 6966
	0x0020:  6172 756e 6978 3a20 5b49 4420 3730 3239
	0x0030:  3131 206c 6f63 616c 372e 696e 666f 5d20
	0x0040:  4865 6c6c 6f20 7265 6d6f 7465 206c 6f67
	0x0050:  2073 6572 7665 722c 2049 2061 6d20 536f
	0x0060:  6c61 7269 7320 3131 2e34 2c20 6361 6e20
	0x0070:  796f 7520 7365 6520 6d79 206c 6f67 733f

If you configured your remote log server to save logs based on the source IP, you can tail the source respective log file to see the actual message. For example, we configure our log server to save remote system logs to /var/log/remotelogs/<from-ip>.log files.

tail -f /var/log/remotelogs/192.168.43.181.log 

2024-01-13T16:17:37-05:00 solaris rsyslogd: [origin software="rsyslogd" swVersion="8.15.0" x-pid="1252" x-info="http://www.rsyslog.com"] start
2024-01-13T16:21:15-05:00 solaris kifarunix: [ID 702911 local7.info] Hello remote log server, I am Solaris 11.4, can you see my logs?

As a side note, you can even send logs in a file using the logger command.

logger -f /var/log/test.log -p auth.info