Solaris Logging Setup
Ship system log files from Solaris to Logstash
Follow the steps below to send your observability data to Logit.io
Logs
Configure syslog to ship logs from Solaris Systems to Logstash.
Install Integration
Download SSL Certificate
Download root.logit.io.crt file and place in /etc/certs/syslog/keys/ca.d or another directory
https://cdn.logit.io/root.logit.io.crt (opens in a new tab)
sudo mkdir -p /etc/certs/syslog/keys/ca.d
sudo curl -o /etc/certs/syslog/keys/ca.d/root.logit.io.crt https://cdn.logit.io/root.logit.io.crt
rsyslog trusts these root CA keys to validate the key presented by logit.io, preventing man-in-the-middle attacks.
Locate rsyslog config
/etc/rsyslog.conf
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/root.logit.io.crt
$ModLoad lmnsd_gtls
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.logit.io
*.* @@"@logstash.host:strip_quotes":@logstash.sslPort
Notes
- If possible run the latest minor versions of rsyslog v7 or v8. There are many TLS bugs in past versions.
- Ensure you have @@ not a single @ infront of the host. This is so TCP is used.
Check which Solaris syslog is enabled
Solaris has a system default syslog that we may need to disable. To check which system log is running use the below command.
svcs system-log
STATE STIME FMRI
disabled 11:16:28 svc:/system/system-log:rsyslog
online 11:16:48 svc:/system/system-log:default
Disable system-log:default
svcadm disable svc:/system/system-log:default
Enable rsyslog
svcadm enable svc:/system/system-log:rsyslog
The above commands can also be used to restart rsyslog if changes are made to the config file.
Troubleshooting
If you receive either of the following errors
could not load module '/usr/lib/rsyslog/lmnsd_gtls.so',
rsyslog error -2078 [try http://www.rsyslog.com/e/2068 ]
Or
could not load module '/usr/lib/rsyslog/lmnsd_gtls.so',
dlopen: /usr/lib/rsyslog/lmnsd_gtls.so: cannot open shared object file: No such file or directory
[try http://www.rsyslog.com/e/2066 ]
First, make sure that module actually exists by running ls against the path in the error, such as
ls -la /usr/lib/rsyslog/lmnsd_gtls.so
Ensure that the user which runs rsyslog
has permissions to read logit.io's public key (in the instructions above, /etc/certs/syslog/keys/ca.d/root.logit.io.crt
).
On many distributions, rsyslog starts as root and then drops to a user. In that case, run chmod 644 /etc/certs/syslog/keys/ca.d/root.logit.io.crt
to let all users
read the key file.
Finally, this may appear if you are using $ModLoad lmnsd_gtls
to explicitly load the TLS module, and that configuration option occurs before the
$DefaultNetstreamDriverCAFile
has been defined. Explicitly loading the module is rarely required and the configuration above does not use it.
We recommend removing that $ModLoad lmnsd_gtls
option and relying on autoloading. If your lmnsd_gtls
needs to be explicitly loaded, like because it is in a
non-default location, move the $DefaultNetstreamDriverCAFile
config line above the $ModLoad
line.
Check Logit.io for your logs
Data should now have been sent to your Stack.
View My DataIf you don't see take a look at How to diagnose no data in Stack below for how to diagnose common issues.
How to diagnose no data in Stack
If you don't see data appearing in your stack after following this integration, take a look at the troubleshooting guide for steps to diagnose and resolve the problem or contact our support team and we'll be happy to assist.
Solaris Logs Overview
Solaris is a Unix based OS. It is primarily used by Enterprise level businesses as it is highly scalable (opens in a new tab) & supports the majority of commercially available commodity hardware (including HP & Dell).
Their Enterprise server extension includes support for clustering and is aimed towards observing business-critical environments. The OS is also known for its high system availability making it an ideal choice for businesses wishing to avoid outages and downtime.
Solaris logs hold a wealth of information on logon data (including failed attempts, FTP & Secure Shell activity data), user account changes, external device disk auditing & executions of Sudo commands. These can all be reported on once your data has been sent to Logstash, allowing your engineers visibility of critical threats to your operations.
Our Solaris log analysis platform can be used to review audit data in order to detect unauthorised activity & review patterns in access histories of users on your server. Our platform also allows you to set up alerts (opens in a new tab) to gain real-time insights on system events affecting the security of your devices.
If you need any further assistance with migrating your Oracle Solaris data to Logstash we're here to help you get started. Feel free to reach out by contacting our support team by visiting our dedicated Help Centre or via live chat & we'll be happy to assist.