Syslog is a standard Solaris system utility and requires very little configuration. Syslog reads and forwards system messages to appropriate log-files (ie. /var/adm/messages) and can also be configured to forward messages to users and/or other non-default log-files.
Syslog works by reading from the STREAMS log driver within Solaris and can trap all manner of system based events. Very often applications are written by developers to utilise the Syslog service, so errors from applications – regarding serious violations, be they access or security, can be logged via the Syslog mechanism.
Syslog will satisfy several of the requirements of the policy document, these being: A, B and F.
Syslog is configured by the use of the file /etc/syslog.conf file. The file consists of two tab separated fields: Selector and Action
The Selector field is split into two constituent parts, facility and level. facility can include any of the following:
user – messages generated by user processes
kernel – messages generated by the kernel
auth – messages from the authorisation system
level can include any of the following:
emerg – panic conditions
crit – critical conditions
err – errors
warning – warning messages
An example follows:
auth.alert (Will catch and alert that a user has supplied the wrong passwd.)
The Action field specifies what do with the alert and where to send it. Log-files can be specified, user’s terminals can be written to, as well as the console device.
So for example:
auth.alert /var/adm/messages (Will write all authorisation alerts to
the /var/adm/messages file)
Syslog can also be configured to send certain types of alerts through to a Syslog-aware server whilst still writing to it’s own specified log-files.
Syslog posting can be configured by use of the loghost entry in the /etc/hosts file on the client. The loghost entry should be changed to be that of the Syslog-aware server, and the specific entries in /etc/syslog.conf changed to look like the following:
*.debug @loghost (Meaning: all alerts are to be written
to the “loghost” server)
To stop the syslogd daemon, perform the command:
# svcadm disable svc:/system/system-log:default
To start the syslogd daemon, perform the command:
# svcadm enable svc:/system/system-log:default
To send a refresh to the syslogd daemon, perform the command:
# svcadm refresh svc:/system/system-log:default
Solaris 8 & 9
Not sure( /usr/sbin/inetd -s)
Enabling TCP Tracing
# inetadm -p
# inetadm -M tcp_trace=TRUE
# inetadm -p
logger ——->enables you to send messages to the syslogd daemon.
logger [ -i ] [ -f file ] [ -p priority ] [ -t tag ] [ message ]
-i Logs the process ID of the logger command with each line
-f file Uses the contents of file as the message to log (file must exist)
-p priority Enters the message with the specified priority
-t tag Marks each line added to the log file with the specified tag
message Concatenates the string arguments of the message in the order specified, separated by single-space characters
# logger -p user.err System rebooted