Use https://seceonhelp.freshdesk.com/support/login to access updated Knowledge Base Articles, Submit Technical Support Tickets and Review Status of submitted support tickets.

Skip to end of metadata
Go to start of metadata

You are viewing an old version of this page. View the current version.

Compare with Current View Page History

« Previous Version 11 Next »

  1. Overview

  2. Prerequisites

  3. Configuring Solaris to forward logs to EventTracker - Seceon CCE

  4. Verification

Overview

Solaris is an operating system based on Unix developed in 1992 by Sun Microsystems. EventTracker integrates with Solaris via Syslog. It monitors events to provide insight on security and compliance events such as login, logout, login-failed events, the command executed, and privilege escalation.

This guide helps you in configuring Solaris and EventTracker to receive Solari’s events. You will find the detailed procedures required for monitoring Solaris.

The configurations detailed in this guide are consistent with Seceon CCE and Solaris.

Solaris users, who wish to forward Events to EventTracker and monitor events using EventTracker.

Prerequisites

  1. Seceon CCE should be installed.

  2. Allow the Syslog UDP Port 514 in the firewall

Configuring Solaris to forward logs to EventTracker - Seceon CCE

  • Log into the Solaris system you want to monitor.

  • Launch the terminal and run the below command.

    • sudo vi /etc/rsyslog.conf

  • Enter the EventTracker Agent IP in place of <EventTracker IP>.

  • Save and quit.

  • Run the following command.

    • sudo /usr/sbin/auditconfig -setflags fd,fc,fm,lo,ex

  • Use the below command to restart the syslog service

    • svcadm restart system/system-log:default

  • In addition to this, audit logs should also be enabled, which can be done by following the below steps. Assume the Primary Administrator role, or become a superuser.

    • Save a backup copy of the audit_control file.

      • cp /etc/security/audit_control /etc/security/audit_control.save

    • Add an audit_syslog.so plugin entry in audit_control.

      • audit_control file

      • flags:lo,ss

      • naflags:lo,na

      • plugin:name=audit_binfile.so;p_dir=/var/audit; p_minfree=20;

  • Add an audit.notice entry to the syslog.conf file should look like as below

    • cat /etc/syslog.conf

    • audit.notice /var/adm/auditlog

  • Create the log file.

    • touch /var/adm/auditlog

  • Refresh the configuration information for the syslog service.

    • svcadm restart system/system-log:default

Note: Enabling the audit logs results in a huge amount of logs, which can impact performance.

Verify

On the source system, test if messages are being sent to the remote log host with the logger command:

# logger -p daemon.warn "this is a test"

then check the /var/adm/messages file on the remote loghost for the test message:

# tail /var/adm/messages

  • No labels