Versions Compared

Old Version 2

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

compared with

New Version Current

changes.mady.by.user Customer Success & Engineering (Unlicensed)

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

What is Syslog?

Syslog is a protocol and utility for capturing and logging system information. This system information can be stored locally, remotely, or both. syslog allows a server to forward log messages over the network to SL1. SL1 then uses these messages to monitor the health of the server and trigger events (if necessary).

Because the syslog utility is mature and widely-used, there is an array of commercial and open source implementations. This section provides only a basic outline of how to configure syslog to send messages to SL1.

Entries in a syslog can include the following severity descriptions:

...

Severity

...

Description

...

0 Emergency:

...

System is unusable. A "panic" condition. Notify all technical staff. Affects multiple servers, applications, systems, or sites. For example, an outage caused by an earthquake.

...

1 Alert

...

Failure in primary system. Immediate action is required. Notify appropriate staff. Example would be "loss of backup ISP connection".

...

2 Critical

...

Failure in primary system. Immediate action is required before problem escalates to "alert". For example, "loss of primary ISP connection".

...

3 Error

...

Non-urgent failure. Action is required but not urgent. These messages should be relayed to appropriate support staff for resolution.

...

4 Warning

...

Indication that an error is about to occur. Action is required but not immediately. For example, "file system is 85% full".

...

5 Notice

...

Normal but significant condition. No immediate action required. Events that are unusual but are not considered error conditions. Should be examined to spot potential problems.

...

6 Informational

...

Normal operational messages. No action required. These may be harvested for reporting, measuring through-put, etc.

...

7 Debug

...

Information that is useful to developers for debugging the application; not useful during operations.

To configure your Solaris 10 server to send syslogs to CCE, you must edit the file /etc/syslog.conf.

  1. Before editing the /etc/syslog.conf file, ensure that syslog is enabled. To do this, open a shell session, login as root, and enter the following at the command prompt:

svcs system-log

  1. Backup the existing /etc/syslog.conf file. To do this, open a shell session, login as root, and enter the following at the command prompt:

cp /etc/syslog.conf /etc/syslog.orig

  1. Use your favorite editor to edit the /etc/syslog.conf file and add the following line:

    • If you are using an All-In-One Appliance, use the IP address of the All-In-One Appliance.

    • If you are using a Distributed System and the Collector Group that will monitor your device includes a Message Collector, use the IP address of the Message Collector.

    • If you are using a Distributed System and the Collector Group that will monitor your device includes a single Data Collector that performs the message collection function, use the IP address of the Data Collector.

*.err;kern.debug;daemon.notice;mail.crit @<IP Address_OF_CCE_Device>

NOTE: syslog includes many facilities. The facilities referenced above are merely a starting point as suggested.

  1. After you edit the syslog.conf file, you must restart the syslog service. To do this, open a shell session, login as root, and enter the following at the command prompt:

svcadm restart system-log

  1. To test sending syslog messages to SL1, open a shell session and enter the following at the command prompt:

logger –p daemon.notice "Test Debug Message to EM7"

  1. To see if the message was sent to CCE, check:

...

Table of Contents
minLevel1
maxLevel7

Overview

Solaris is an operating system based on Unix that was developed in 1992 by Sun Microsystems. EventTracker integrates with Solaris via Syslog to monitor events and provide insights on security and compliance-related activities such as login, logout, login-failed events, the command executed, and privilege escalation.This guide provides detailed procedures for configuring Solaris and EventTracker to receive Solaris events and monitor them effectively.The configurations outlined in this guide are designed for use with Seceon CCE and Solaris, ensuring consistency and reliability.Solaris users who want to forward events to EventTracker and monitor them using this tool can benefit from the information provided in this guide.

Prerequisites

  1. To use Seceon CCE, it must be installed on your system.

  2. In order for Syslog to function properly and transmit data, UDP Port 514 should be allowed through the firewall.

To configure Solaris to forward logs to EventTracker - Seceon CCE, follow these steps:

  1. Log into the Solaris system you want to monitor.

  2. Launch the terminal and run the following command:

sudo vi /etc/rsyslog.conf

To configure Solaris to forward logs to EventTracker - Seceon CCE, follow these steps:

  1. Enter the CCE IP address in place of <EventTracker IP> in the appropriate configuration file.

  2. Save and exit the file.

  3. Run the following command:

sudo /usr/sbin/auditconfig -setflags fd,fc,fm,lo,ex

To complete the configuration of Solaris to forward logs to EventTracker - Seceon CCE, follow these additional steps:

Restart the syslog service using the following command:

svcadm restart system/system-log:default

  • Enable audit logs by following these steps:

    a. Assume the Primary Administrator role, or become a superuser.

    b. Save a backup copy of the audit_control file:

    cp /etc/security/audit_control /etc/security/audit_control.save

    c. Add an audit_syslog.so plugin entry to audit_control:

    Code Block
    makefileCopy codeaudit_control file
flags:lo,ss
naflags:lo,na
plugin:name=audit_syslog.so;p_minfree=20;

  • After completing the previous steps, follow these additional steps to ensure that audit logs are properly forwarded to EventTracker - Seceon CCE:

    • Add an audit.notice entry to the syslog.conf file, which should look like the following:

      audit.notice /var/adm/auditlog

    • Create the log file using the following command:

      touch /var/adm/auditlog

    • Refresh the configuration information for the syslog service using the following command:

      svcadm restart system/system-log:default

    Note: Enabling audit logs may result in a large amount of log data, which can impact system performance.

Varification

On the source system, test if messages are being sent to the remote log host with the logger command:

Code Block
cCopy code# logger -p daemon.warn "this is a test"

Then check the /var/adm/messages file on the remote loghost for the test message:

Code Block
shellCopy code# tail /var/adm/messages

These commands can be used to verify that the logging system is properly configured and that log messages are being forwarded from the source system to the remote log host.