Configure Syslog on Solaris 11.4 for Remote Logging

Last Updated:

This guide presents a simple way of how to configure Syslog on Solaris 11.4 send logs to remote syslog server.

Configuring Syslog on Solaris 11.4 for Remote Logging

Enable Syslog on Solaris 11.4

Syslog is the native log manager on Solaris 11.4. It should be enabled by default.

Before you can proceed to configure syslog on Solaris 11.4, first check if it is enabled.

svcs system-log
STATE          STIME    FMRI
disabled        2:07:53 svc:/system/system-log:rsyslog
online         23:08:50 svc:/system/system-log:default

As per the above output, the native syslog is enabled.

Configuring Syslog Remote Logging on Solaris 11.4

Therefore, you need to configure Syslog and define the log messages to be forwarded to the central log server. This can be done by defining the facility and priority of the logs.

The facility defines the type of program that is logging the message for example the kernel, mail system, security processes, syslog, system daemons etc. The defined facilities are auth (or security), authpriv, cron, daemon, ftp, kern, lpr, mail, mark, news, syslog, user, uucp, and local0-local7.

The priority on the other hand defines the severity level of the message. The possible priorities arranged in the  decreasing order of urgency include emerg (or panic (0)), alert (1), crit (2), err (or error(3)), warning (or warn (4)), notice (5), info (6), debug (7).

Thus in this guide, we are going to send all the informational messages to the remote server. Hence, edit the syslog configuration file, /etc/syslog.conf and add the line below.

vim /etc/syslog.conf
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;auth.none;mail.crit      /var/adm/messages

*.alert;kern.err;daemon.err                     operator
*.alert                                         root

*.emerg                                         *
# Forward informational Messages
*.info  @remotehost   # Use a tab instead of spaces.

Ensure that you are using tabs instead of spaces; *.info<tab>@remotehost

Save the configuration file and restart syslog.

svcadm restart system-log:default

Verify Connection to Remote Log Server

Next, verify that Solaris 11.4 server can communicate to the remote syslog server UDP port 514. This can be done using netcat command. Hence, on the remote server, run the netcat to listen on  command as shown below;

nc -l 514

On Solaris 11.4, run netcat as shown below;

netcat 514

Type anything at the prompt and you should be able to see the same on remote host.

How to Send Logs to Remote Central Log Server on Solaris 11.4

Configure Remote Log Server Logs Directory

On the remote central syslog server, configure it such that it saves the received logs to specific directory with IP/hostname as the identifier of the source of logs. See example below;

# provides UDP syslog reception
input(type="imudp" port="514")

# provides TCP syslog reception
#input(type="imtcp" port="514")
#Custom template to generate the log filename dynamically based on the client's IP address.
$template RemInputLogs, "/var/log/remotelogs/%FROMHOST-IP%.log"
*.* ?RemInputLogs

Verify Log Reception on Remote Log Server

Next, try to initiate an ssh authentication to Solaris 11.4 server. At the same time, run tcpdump command on the syslog server to verify that the logs are actually sent from Solaris 11.4 server.

tcpdump -i enp0s3 src solaris_server_IP and port 514

In the tcpdump output below, you can see two authentication messages since I tried both failed and successful authentication on Solaris 11.4 server.

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on enp0s3, link-type EN10MB (Ethernet), capture size 262144 bytes
21:17:34.926331 IP > u18svr.syslog: SYSLOG auth.error, length: 117
21:17:48.962226 IP > u18svr.syslog: SYSLOG, length: 132

At the same time, you can check the log file on the remote server as define in the configuration file above.

tail /var/log/remotelogs/ 
2024-01-13T00:06:19+00:00 /usr/sbin/dhcpagent[497]: [ID 538334] configure_v4_timers: net0 acquired lease, expires Thu Feb 14 01:06:19 2024
2024-01-13T00:06:19+00:00 /usr/sbin/dhcpagent[497]: [ID 759141] configure_v4_timers: net0 begins renewal at Thu Feb 14 00:32:46 2024
2024-01-13T00:06:19+00:00 /usr/sbin/dhcpagent[497]: [ID 480545] configure_v4_timers: net0 begins rebinding at Thu Feb 14 00:55:16 2024
2024-01-13T00:17:35+00:00 sshd[1711]: [ID 800047 auth.error] error: PAM: Authentication failed for root from
2024-01-13T00:17:49+00:00 sshd[1711]: [ID 800047] Accepted keyboard-interactive/pam for root from port 40300 ssh2

Beautiful, that is how easy it is to configure Syslog to send logs to remote syslog server on Solaris 11.4.

You can also use Rsyslog instead of Syslog. Check how to Configure Rsyslog on Solaris 11.4.


We're passionate about sharing our knowledge and experiences with you through our blog. If you appreciate our efforts, consider buying us a virtual coffee. Your support keeps us motivated and enables us to continually improve, ensuring that we can provide you with the best content possible. Thank you for being a coffee-fueled champion of our work!

Photo of author
I am the Co-founder of, Linux and the whole FOSS enthusiast, Linux System Admin and a Blue Teamer who loves to share technological tips and hacks with others as a way of sharing knowledge as: "In vain have you acquired knowledge if you have not imparted it to others".

2 thoughts on “Configure Syslog on Solaris 11.4 for Remote Logging”

Leave a Comment