...
Log into the Solaris system you want to monitor.
Launch the terminal and run the below command.
sudo vi /etc/syslogrsyslog.conf
Enter the EventTracker Agent IP in place of <EventTracker IP>.
Save and quit.
Run the following command.
sudo /usr/sbin/auditconfig -setflags fd,fc,fm,lo,ex
Use the below command to restart the syslog service
svcadm restart system/system-log:default
In addition to this, audit logs should also be enabled, which can be done by following the below steps. Assume the Primary Administrator role, or become a superuser.
Save a backup copy of the audit_control file.
cp /etc/security/audit_control /etc/security/audit_control.save
Add an audit_syslog.so plugin entry in audit_control.
audit_control file
flags:lo,ss
naflags:lo,na
plugin:name=audit_binfile.so;p_dir=/var/audit; p_minfree=20;
Add an audit.notice entry to the syslog.conf file should look like as below
cat /etc/syslog.conf
audit.notice /var/adm/auditlog
Create the log file.
touch /var/adm/auditlog
Refresh the configuration information for the syslog service.
svcadm restart system/system-log:default
Note: Enabling the audit logs results in a huge amount of logs, which can impact performance.
Verify
On the source system, test if messages are being sent to the remote log host with the logger command:
# logger -p daemon.warn "this is a test"
then check the /var/adm/messages file on the remote loghost for the test message:
# tail /var/adm/messages