Configure Rsyslog on Solaris 11.4 to Send logs to Remote Log Server

0
3167

In this guide, we are going to learn how to configure rsyslog on Solaris 11.4 to send logs to remote log server. By default, Solaris 11.4 used the native syslog as the default log manager. You can verify this by running the command below;

svcs system-log
STATE          STIME    FMRI
disabled       22:20:47 svc:/system/system-log:rsyslog
online         19:23:06 svc:/system/system-log:default

As you can see, syslog log manager is online.

But wait, are you using the native syslog instead? check our link below on configuring syslog on Solaris 11.4

You might as well want to check our article on configuring remote logging with rsyslog on Ubuntu 18.04 by following the link below;

In order to configure rsyslog on Solaris 11.4, you need to check if the package is installed.

pkg info system/rsyslog
           Name: system/rsyslog
        Summary: reliable and extended syslogd
    Description: Rsyslog is a reliable and extended syslog daemon implementation
                 with a modular design, supporting many features (e.g.,
                 filtering, TCP, encryption, high-precision time-stamps, output
                 control).
       Category: System/Administration and Configuration
          State: Installed
      Publisher: solaris
        Version: 8.15.0
         Branch: 11.4.0.0.1.14.0
 Packaging Date: August 14, 2018 at  5:28:45 PM
           Size: 6.72 MB
           FMRI: pkg://solaris/system/[email protected]:20180814T172845Z
    Project URL: http://www.rsyslog.com/
     Source URL: http://www.rsyslog.com/files/download/rsyslog/rsyslog-8.15.0.tar.gz
Project Contact: Rainer Gerhards

Well, in my case rsyslog is installed already. If however it is not installed already, you can run the command below to install it.

pkg install system/rsyslog

If it is installed but as seen in the output of the svcs system-log command, it is disabled, you need to enable it. But before that, disable the native syslog.

svcadm disable system/system-log:default

Next, enable rsyslog and refresh it

svcadm enable system/system-log:rsyslog
svcadm refresh system/system-log:rsyslog

Check that status to confirm the that is active.

svcs -p rsyslog
STATE          STIME    FMRI
online         19:53:32 svc:/system/system-log:rsyslog
               19:51:26      1592 rsyslogd

Proceed to configure Rsyslog on Solaris 11.4 to send logs of specific facility and priority to the remote central log management server. The main configuration file for Rsyslog is /etc/rsyslog.conf.

For demonstration purposes, we are going to configure Rsyslog on Solaris 11.4 to send all information logs created by any facility to the remote log management server. The logs will be sent over UDP protocol, port 514. You can however use TCP as long as the remote log server is configured to receive logs over TCP protocol.

Before you can proceed, verify that Solaris 11.4 server can communicate with remote log management server over UDP port 514. You can use netcat (nc) command to verify this.

On the Remote log manager, set netcat to listen on port 514 while on the Solaris 11.4 server, set netcat to connect to the remote log manager port 514.

nc -l 514       # Remote Log Server
nc remote_server_IP 514    # Solaris 11.4

Press Enter on both sides. Type anything on the Solaris 11.4 end and you should be able to see whatever you type on the remote shell.

After that, proceed to configure Rsyslog on Solaris 11.4 server.

vim /etc/rsyslog.conf
...
# Remote Logging (we use TCP for reliable delivery)
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/spool/rsyslog      # where to place spool files
#$ActionQueueFileName uniqName  # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g    # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on  # save messages to disk on shutdown
#$ActionQueueType LinkedList    # run asynchronously
#$ActionResumeRetryCount -1     # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
*.info  @192.168.43.85:514    # Send Logs over UDP port 514
...

Restart Rsyslog to effect the changes.

svcadm restart system/system-log:rsyslog

Perform log test using logger command. Before you can execute the testing, run tcpdump command on the remote log server to confirm the reception of the logs.

logger -p local7.info "Hello remote log server, can you receive it?"

As you can see from the tcpdump output, the log has been received.

tcpdump -i enp0s3 src 192.168.43.181 and port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
20:34:57.994348 IP 192.168.43.181.47417 > u18svr.syslog: SYSLOG local7.info, length: 103
^C
1 packet captured
1 packet received by filter
0 packets dropped by kernel

If you configured your Remote log manager server to save logs based on the source IP, you can tail the source respective log file to see the actual message. For example

tail -f /var/log/remotelogs/192.168.43.181.log 
2019-02-14T20:39:00+00:00 solaris root: [ID 702911 local7.info] Hello remote log server, can you receive it?

You can even send logs in a file using the logger command.

logger -f /var/log/test.log -p auth.info

Well, that how easy it is to configure rsyslog on Solaris 11.4 to send logs to remote log server. We hope this guide was informative. Enjoy.

LEAVE A REPLY

Please enter your comment!
Please enter your name here