Overview
Solaris is an operating system based on Unix that was developed in 1992 by Sun Microsystems. EventTracker integrates with Solaris via Syslog to monitor events and provide insights on security and compliance-related activities such as login, logout, login-failed events, the command executed, and privilege escalation.This guide provides detailed procedures for configuring Solaris and EventTracker to receive Solaris events and monitor them effectively.The configurations outlined in this guide are designed for use with Seceon CCE and Solaris, ensuring consistency and reliability.Solaris users who want to forward events to EventTracker and monitor them using this tool can benefit from the information provided in this guide.
Prerequisites
To use Seceon CCE, it must be installed on your system.
In order for Syslog to function properly and transmit data, UDP Port 514 should be allowed through the firewall.
To configure Solaris to forward logs to EventTracker - Seceon CCE, follow these steps:
Log into the Solaris system you want to monitor.
Launch the terminal and run the following command:
sudo vi /etc/rsyslog.conf
To configure Solaris to forward logs to EventTracker - Seceon CCE, follow these steps:
Enter the EventTracker Agent IP address in place of
<EventTracker IP>
in the appropriate configuration file.Save and exit the file.
Run the following command:
sudo /usr/sbin/auditconfig -setflags fd,fc,fm,lo,ex
To complete the configuration of Solaris to forward logs to EventTracker - Seceon CCE, follow these additional steps:
Restart the syslog service using the following command:
svcadm restart system/system-log:default
Enable audit logs by following these steps:
a. Assume the Primary Administrator role, or become a superuser.
b. Save a backup copy of the
audit_control
file:cp /etc/security/audit_control /etc/security/audit_control.save
c. Add an
audit_syslog.so
plugin entry toaudit_control
:makefileCopy codeaudit_control file flags:lo,ss naflags:lo,na plugin:name=audit_syslog.so;p_minfree=20;
After completing the previous steps, follow these additional steps to ensure that audit logs are properly forwarded to EventTracker - Seceon CCE:
Add an
audit.notice
entry to thesyslog.conf
file, which should look like the following:audit.notice /var/adm/auditlog
Create the log file using the following command:
touch /var/adm/auditlog
Refresh the configuration information for the syslog service using the following command:
svcadm restart system/system-log:default
Note: Enabling audit logs may result in a large amount of log data, which can impact system performance.
Varification
On the source system, test if messages are being sent to the remote log host with the logger
command:
cCopy code# logger -p daemon.warn "this is a test"
Then check the /var/adm/messages
file on the remote loghost for the test message:
shellCopy code# tail /var/adm/messages
These commands can be used to verify that the logging system is properly configured and that log messages are being forwarded from the source system to the remote log host.