Versions Compared

Old Version 11

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Table of Contents
minLevel

...

Prerequisites

...

Configuring Solaris to forward logs to EventTracker - Seceon CCE

...

1
maxLevel7

Overview

Solaris is an operating system based on Unix that was developed in 1992 by Sun Microsystems. EventTracker integrates with Solaris via Syslog . It monitors events to provide insight to monitor events and provide insights on security and compliance events -related activities such as login, logout, login-failed events, the command executed, and privilege escalation.This guide helps you in provides detailed procedures for configuring Solaris and EventTracker to receive Solari’s Solaris events . You will find the detailed procedures required for monitoring Solaris. The configurations detailed and monitor them effectively.The configurations outlined in this guide are consistent designed for use with Seceon CCE and Solaris, ensuring consistency and reliability.Solaris users , who wish want to forward Events events to EventTracker and monitor events using EventTrackerthem using this tool can benefit from the information provided in this guide.

Prerequisites

  1. To use Seceon CCE

...

  1. , it must be installed on your system.

...

  1. In order for Syslog to function properly and transmit data, UDP Port 514

...

  1. should be allowed through the firewall.

...

To configure Solaris to forward logs to EventTracker - Seceon CCE, follow these steps:

  1. Log into the Solaris system you want to monitor.

  2. Launch the terminal and run the

...

  1. following command

...

  1. :

sudo vi /etc/rsyslog.conf

To configure Solaris to forward logs to EventTracker - Seceon CCE, follow these steps:

  1. Enter the

...

  1. CCE IP address in place of <EventTracker IP> in the appropriate configuration file.

  2. Save and

...

  1. exit the file.

  2. Run the following command

...

  1. :

sudo /usr/sbin/auditconfig -setflags fd,fc,fm,lo,ex

...

To complete the configuration of Solaris to forward logs to EventTracker - Seceon CCE, follow these additional steps:

Restart the syslog service using the following command:

svcadm restart system/system-log:default

  • In addition to this, Enable audit logs should also be enabled, which can be done by following the below these steps:

    a. Assume the Primary Administrator role, or become a superuser.

    b. Save a backup copy of the audit_control file

    .

    :

    cp /etc/security/audit_control /etc/security/audit_control.save

    c. Add an audit_syslog.so plugin entry

    in

    to audit_control

    . audit

    :

    Code Block
    makefileCopy codeaudit_control file
    
flags:lo,ss
    
naflags:lo,na
    
plugin:name=audit_
    binfile
    syslog.so;p_
    dir=/var/audit; p_
    minfree=20;

  • After completing the previous steps, follow these additional steps to ensure that audit logs are properly forwarded to EventTracker - Seceon CCE:

    • Add an audit.notice entry to the syslog.conf file, which should look like

    as below

    • cat /etc/syslog.confthe following:

      audit.notice /var/adm/auditlog

    • Create the log file

    .

    • using the following command:

      touch /var/adm/auditlog

    • Refresh the configuration information for the syslog service

    .

    • using the following command:

      svcadm restart system/system-log:default

    Note: Enabling

...

  • audit logs

...

  • may result in a

...

  • large amount of

...

  • log data, which can impact system performance.

...

Varification

On the source system, test if messages are being sent to the remote log host with the logger command:# logger

Code Block
cCopy code# logger -p daemon.warn "this is a test"

then Then check the /var/adm/messages file on the remote loghost for the test message:# tail

Code Block
shellCopy code# tail /var/adm/messages

These commands can be used to verify that the logging system is properly configured and that log messages are being forwarded from the source system to the remote log host.