Instructions for forwarding Solaris logs to your Log Management device


Solaris 11.X
  • To configure the audit_syslog plugin, you must become an administrator who is assigned the Audit Configuration rights profile
  • To configure the syslog utility and create the auditlog file, you must assume the root role
Clone Systems Log Management Device
  • The IP Address for the Clone Systems Log Management device

1. Select audit classes to be sent to the audit_syslog plugin, and make the plugin active. Note: p_flags audit classes must be preselected as either system defaults or in the audit flags of a a user or a rights profile. Records are not collected for a class that is not preselected.

  • # auditconfig -setplugin audit_syslog
    active p_flags=lo,+as,-ss

2. Configure the syslog utility.

  • Add an audit.notice entry to the syslog.conf file.The entry includes the location of the log file.
  • # cat /etc/syslog.conf
  • audit.notice /var/adm/auditlog
  • Create the log file.
  • # touch /var/adm/auditlog
  • Set the log file’s permissions to 640.
  • # chmod 640 /var/adm/auditlog
  • Check which system-log service instance is running on the system.
  • # svcs system-log
    online Nov_27 svc:/system/system-log:default
    disabled Nov 27 svc:/system/system-log:rsyslog
  • Refresh the configuration information for the active syslog service instance.
  • # svcadm refresh system/system-log:default

3. Refresh the audit service. The audit service reads the changes to the audit plugin upon refresh.

  • # audit -s

4. Regularly archive the syslog log files. The audit service can generate extensive output. To manage the logs, see the logadm(1M) man page.

Example 4-11 Specifying Audit Classes for syslog Output

In the following example, the syslog utility collects a subset of the preselected audit classes. The pf class is created in Example 3–15.

  • # auditconfig -setnaflags lo,na
  • # auditconfig -setflags lo,ss
  • # usermod -K audit_flags=pf:no jdoe
  • # auditconfig -setplugin audit_syslog
    active p_flags=lo,+na,-ss,+pf

The arguments to the auditconfig command instruct the system to collect all login/logout, non-attributable, and change of system state audit records. The audit_syslog plugin entry instructs the syslog utility to collect all logins, successful non-attributable events, and failed changes of system state. For the jdoe user, the binary utility collects successful and failed calls to the pfexec command. The syslog utility collects successful calls to the pfexec command.

Example 4-12 Putting syslog Audit Records on a Remote System

You can change the audit.notice entry in the syslog.conf file to point to a remote system. In this example, the name of the local system is sys1.1. The remote system is remote1.

  • sys1.1 # cat /etc/syslog.conf
  • audit.notice @remote1
  • The audit.notice entry in the syslog.conf file on the remote1 system points to the log file.
  • remote1 # cat /etc/syslog.conf
  • audit.notice /var/adm/auditlog