SYS Log Management

Syslog is a standard Solaris system utility and requires very little configuration. Syslog reads and forwards system messages to appropriate log-files (ie. /var/adm/messages) and can also be configured to forward messages to users and/or other non-default log-files.

Syslog works by reading from the STREAMS log driver within Solaris and can trap all manner of system based events. Very often applications are written by developers to utilise the Syslog service, so errors from applications – regarding serious violations, be they access or security, can be logged via the Syslog mechanism.

Syslog will satisfy several of the requirements of the policy document, these being: A, B and F.

Syslog is configured by the use of the file /etc/syslog.conf file. The file consists of two tab separated fields: Selector and Action

Selector:
The Selector field is split into two constituent parts, facility and level. facility can include any of the following:

user – messages generated by user processes
kernel – messages generated by the kernel
auth – messages from the authorisation system

level can include any of the following:

emerg – panic conditions
crit – critical conditions
err – errors
warning – warning messages

An example follows:

auth.alert (Will catch and alert that a user has supplied the wrong passwd.)

Action:
The Action field specifies what do with the alert and where to send it. Log-files can be specified, user’s terminals can be written to, as well as the console device.

So for example:

auth.alert /var/adm/messages (Will write all authorisation alerts to
the /var/adm/messages file)

Syslog can also be configured to send certain types of alerts through to a Syslog-aware server whilst still writing to it’s own specified log-files.

Syslog posting can be configured by use of the loghost entry in the /etc/hosts file on the client. The loghost entry should be changed to be that of the Syslog-aware server, and the specific entries in /etc/syslog.conf changed to look like the following:

*.debug @loghost (Meaning: all alerts are to be written
to the “loghost” server)

Solaris 10

To stop the syslogd daemon, perform the command:
# svcadm disable svc:/system/system-log:default

To start the syslogd daemon, perform the command:
# svcadm enable svc:/system/system-log:default

To send a refresh to the syslogd daemon, perform the command:
# svcadm refresh svc:/system/system-log:default

Solaris 8 & 9

Not sure( /usr/sbin/inetd -s)
/etc/init.d/syslogd start/stop

Solaris 10

Enabling TCP Tracing

# inetadm -p
NAME=VALUE
bind_addr=””
bind_fail_max=-1
bind_fail_interval=-1
max_con_rate=-1
max_copies=-1
con_rate_offline=-1
failrate_cnt=40
failrate_interval=60
inherit_env=TRUE
tcp_trace=FALSE ————————>
tcp_wrappers=FALSE

# inetadm -M tcp_trace=TRUE
# inetadm -p
NAME=VALUE
bind_addr=””
bind_fail_max=-1
bind_fail_interval=-1
max_con_rate=-1
max_copies=-1
con_rate_offline=-1
failrate_cnt=40
failrate_interval=60
inherit_env=TRUE
tcp_trace=TRUE ————————>
tcp_wrappers=FALSE

logger ——->enables you to send messages to the syslogd daemon.
logger [ -i ] [ -f file ] [ -p priority ] [ -t tag ] [ message ]

Where
-i Logs the process ID of the logger command with each line
-f file Uses the contents of file as the message to log (file must exist)
-p priority Enters the message with the specified priority
-t tag Marks each line added to the log file with the specified tag
message Concatenates the string arguments of the message in the order specified, separated by single-space characters
# logger -p user.err System rebooted