In this guide, we are going to learn how to configure rsyslog on Solaris 11.4 to send logs to remote log server. By default, Solaris 11.4 used the native syslog as the default log manager. You can verify this by running the command below;
svcs system-log STATE STIME FMRI disabled 22:20:47 svc:/system/system-log:rsyslog online 19:23:06 svc:/system/system-log:default
As you can see, syslog log manager is online.
But wait, are you using the native syslog instead? check our link below on configuring syslog on Solaris 11.4
You might as well want to check our article on configuring remote logging with rsyslog on Ubuntu 18.04 by following the link below;
- How to Configure Remote Logging with Rsyslog on Ubuntu 18.04
- Configure NXLog to Forward System Logs to Rsyslog Server on Ubuntu 18.04
In order to configure rsyslog on Solaris 11.4, you need to check if the package is installed.
pkg info system/rsyslog
Name: system/rsyslog
Summary: reliable and extended syslogd
Description: Rsyslog is a reliable and extended syslog daemon implementation
with a modular design, supporting many features (e.g.,
filtering, TCP, encryption, high-precision time-stamps, output
control).
Category: System/Administration and Configuration
State: Installed
Publisher: solaris
Version: 8.15.0
Branch: 11.4.0.0.1.14.0
Packaging Date: August 14, 2018 at 5:28:45 PM
Size: 6.72 MB
FMRI: pkg://solaris/system/[email protected]:20180814T172845Z
Project URL: http://www.rsyslog.com/
Source URL: http://www.rsyslog.com/files/download/rsyslog/rsyslog-8.15.0.tar.gz
Project Contact: Rainer Gerhards
Well, in my case rsyslog is installed already. If however it is not installed already, you can run the command below to install it.
pkg install system/rsyslog
If it is installed but as seen in the output of the svcs system-log command, it is disabled, you need to enable it. But before that, disable the native syslog.
svcadm disable system/system-log:default
Next, enable rsyslog and refresh it
svcadm enable system/system-log:rsyslog svcadm refresh system/system-log:rsyslog
Check that status to confirm the that is active.
svcs -p rsyslog
STATE STIME FMRI
online 19:53:32 svc:/system/system-log:rsyslog
19:51:26 1592 rsyslogd
Proceed to configure Rsyslog on Solaris 11.4 to send logs of specific facility and priority to the remote central log management server. The main configuration file for Rsyslog is /etc/rsyslog.conf.
For demonstration purposes, we are going to configure Rsyslog on Solaris 11.4 to send all information logs created by any facility to the remote log management server. The logs will be sent over UDP protocol, port 514. You can however use TCP as long as the remote log server is configured to receive logs over TCP protocol.
Before you can proceed, verify that Solaris 11.4 server can communicate with remote log management server over UDP port 514. You can use netcat (nc) command to verify this.
On the Remote log manager, set netcat to listen on port 514 while on the Solaris 11.4 server, set netcat to connect to the remote log manager port 514.
nc -l 514 # Remote Log Server
nc remote_server_IP 514 # Solaris 11.4
Press Enter on both sides. Type anything on the Solaris 11.4 end and you should be able to see whatever you type on the remote shell.
After that, proceed to configure Rsyslog on Solaris 11.4 server.
vim /etc/rsyslog.conf
... # Remote Logging (we use TCP for reliable delivery) # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/spool/rsyslog # where to place spool files #$ActionQueueFileName uniqName # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 *.info @192.168.43.85:514 # Send Logs over UDP port 514 ...
Restart Rsyslog to effect the changes.
svcadm restart system/system-log:rsyslog
Perform log test using logger command. Before you can execute the testing, run tcpdump command on the remote log server to confirm the reception of the logs.
logger -p local7.info "Hello remote log server, can you receive it?"
As you can see from the tcpdump output, the log has been received.
tcpdump -i enp0s3 src 192.168.43.181 and port 514
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes 20:34:57.994348 IP 192.168.43.181.47417 > u18svr.syslog: SYSLOG local7.info, length: 103 ^C 1 packet captured 1 packet received by filter 0 packets dropped by kernel
If you configured your Remote log manager server to save logs based on the source IP, you can tail the source respective log file to see the actual message. For example
tail -f /var/log/remotelogs/192.168.43.181.log 2019-02-14T20:39:00+00:00 solaris root: [ID 702911 local7.info] Hello remote log server, can you receive it?
You can even send logs in a file using the logger command.
logger -f /var/log/test.log -p auth.info
Well, that how easy it is to configure rsyslog on Solaris 11.4 to send logs to remote log server. We hope this guide was informative. Enjoy.
