Solaris, Syslog & Syslog-ng

Recently I setup a Solaris 10 box logging to a syslog-ng loghost, using the standard solaris syslog.

I found loads of docs on how to build syslog-ng on solaris, but I decided I’d rather avoid that – don’t really need any of the extra features here.


# /etc/syslog.conf Configuration file for syslogd.
#
# First some standard logfiles. Log by facility.
#
#
auth.info /var/log/auth.log
*.info /var/log/syslog
daemon.info /var/log/daemon.log
kern.info /var/log/kern.log
lpr.info /var/log/lpr.log
mail.info /var/log/mail.log
user.info /var/log/user.log
#
# cron seems to log to /var/cron/log rather than syslog, so
# /var/log/cron.log should be a symlink to that.
# cron.info /var/log/cron.log
#
#
# Some `catch-all' logfiles.
#
*.debug;news.none;mail.none;auth.none /var/log/debug
*.info;*.notice;*;warn;auth;cron,daemon.none;mail,news.none /var/log/messages
#
#
# Emergencies are sent to everybody logged in.
#
*.emerg *
#
#
# Remote logging
# Send everything except auth.debug to sprout
#
#
*.debug;auth.info @log.internal

This is the syslog.conf I ended up with. The stock solaris one wasn’t very readable, so I ended up throwing it away and starting again. I took the default syslog.conf from a debian box instead, and used that as a basis for starting with (since we’re all much more familiar with debian I prefered having the logs in debian like locations).

The biggest change I had to make was that where debian had used a wildcard to indicate any level here I had to specify the lowest level to include – including this level also includes any level of a higher priority.

The last line covers sending the logs to our remote syslog-ng host, sending it all lines except auth.debug (that seemed to be VERY long). Log.internal is specified in the /etc/hosts file.

This worked fairly well on the loghost. Solaris uses UDP to send syslog messages, where as we usually use TCP, but setting syslog-ng up to accept these too wasn’t a problem. It doesn’t however send the hostname, so you’ll need to setup syslog-ng to look these up, or you’ll just get ip addresses everywhere.

The man page for syslog.conf is actually fairly helpful – this one bit in particular is worth mentioning..

A filename, beginning with a leading slash, which indicates that messages specified by the selector are to be written to the specified file. The file  is  opened  in append  mode  if it exists. If the file does not exist, logging silently fails for this action.

Posted January 29th, 2009 in Solaris.

Leave a response: