How to configure rsyslog on Solaris 11.1 to send messages to a remote host using TCP
The system/rsyslog service is newly available in the Solaris 11.1 release. To send and receive messages over TCP, the rsyslog pkg must be installed on the sending Solaris system (the source system) and the receiving Solaris system (the remote loghost).
The rsyslog package is not installed by default in Solaris 11.1 and later, and may need to be added. On both the source Solaris system and remote loghost system, check for the rsyslog package with:
# pkg info system/rsyslog
pkg: info: no packages matching the following patterns you specified are
installed on the system. Try specifying -r to query remotely:
system/rsyslog
If the rsyslog package is not installed, it can be installed with:
# pkg install system/rsyslog
Packages to install: 3
Services to change: 1
Create boot environment: No
Create backup boot environment: No
Planning linked: 0/3 done; 1 working: zone:testzone
Planning linked: 1/3 done; 1 working: zone:test1
Planning linked: 2/3 done; 1 working: zone:test2
Planning linked: 3/3 done
DOWNLOAD PKGS FILES XFER (MB) SPEED
Completed 3/3 68/68 1.5/1.5 1.5M/s
Downloading linked: 0/3 done; 1 working: zone:testzone
Downloading linked: 1/3 done; 1 working: zone:test1
Downloading linked: 2/3 done; 1 working: zone:test2
Downloading linked: 3/3 done
PHASE ITEMS
Installing new actions 147/147
Updating package state database Done
Updating package cache 0/0
Updating image state Done
Creating fast lookup database Done
Executing linked: 0/3 done; 1 working: zone:testzone
Executing linked: 1/3 done; 1 working: zone:test1
Executing linked: 2/3 done; 1 working: zone:test2
Executing linked: 3/3 done
Updating package cache 1/1
Review the /etc/rsyslog.conf file which was delivered with the rsyslog package:
# cat /etc/rsyslog.conf # if you experience problems, check # http://www.rsyslog.com/doc/troubleshoot.html for assistance # rsyslog v3: load input modules # If you do not load inputs, nothing happens! #$ModLoad immark # provides --MARK-- message capability #$ModLoad imuxsock # can be used for rate-limiting and flow-control $ModLoad imsolaris # for Solaris kernel logging # High priority messages to the console *.err;kern.notice;auth.notice /dev/sysmsg # Next highest priority to the messages file *.err;kern.debug;daemon.notice;mail.crit /var/adm/messages # Preserve traditional Solaris syslog defaults *.alert;kern.err;daemon.err :omusrmsg:operator *.alert :omusrmsg:root # Log anything (except auth, cron, daemon & mail) of level info or higher. *.info;mail.none;auth.none;cron.none -/var/log/misc.log # Log all the auth, daemon & mail messages in one place. auth.* -/var/log/auth.log daemon.* -/var/log/daemon.log mail.* -/var/log/mail.log # Everybody gets emergency messages *.emerg :omusrmsg:* # Remote Logging (we use TCP for reliable delivery) # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/spool/rsyslog # where to place spool files #$ActionQueueFileName uniqName # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 # ######### Receiving Messages from Remote Hosts ########## # TCP Syslog Server: # provides TCP syslog reception and GSS-API #$ModLoad imtcp.so # load module #$InputTCPServerRun 514 # start up TCP listener at port 514 # UDP Syslog Server: #$ModLoad imudp.so # provides UDP syslog reception #$UDPServerAddress * # listen to all IP addresses #$UDPServerRun 514 # start a UDP syslog server at standard port 514
Configure the source system
On the source system, add the hostname or IP of the remote loghost system to the /etc/rsyslog.conf file following the commented example in the section entitled: # Remote Logging (we use TCP for reliable delivery)
In this example, the messages will be sent to the remote host 192.65.4.61 using port 999. Make sure the port is not used for any other service:
# Remote Logging (we use TCP for reliable delivery) # An on-disk queue is created for this action. If the remote host is # down, messages are spooled to disk and sent when it is up again. #$WorkDirectory /var/spool/rsyslog # where to place spool files #$ActionQueueFileName uniqName # unique name prefix for spool files #$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible) #$ActionQueueSaveOnShutdown on # save messages to disk on shutdown #$ActionQueueType LinkedList # run asynchronously #$ActionResumeRetryCount -1 # infinite retries if host is down # remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional #*.* @@remote-host:514 *.* @@192.65.4.61:999
Configure the remote loghost system
On the remote loghost system, configure the /etc/rsyslog.conf to listen for rsyslog over TCP using port 999 by uncommenting and changing these 2 lines:
#$ModLoad imtcp.so # load module #$InputTCPServerRun 514 # start up TCP listener at port 514
in the section entitled: TCP Syslog Server
# ######### Receiving Messages from Remote Hosts ########## # TCP Syslog Server: # provides TCP syslog reception and GSS-API $ModLoad imtcp.so # load module $InputTCPServerRun 999 # start up TCP listener at port 999
After modifying /etc/rsyslog.conf on both systems, restart the rsyslog service on both systems:
# svcadm disable svc:/system/system-log:rsyslog # svcadm enable svc:/system/system-log:rsyslog
Verify
On the source system, test if messages are being sent to the remote loghost with the logger command:
# logger -p daemon.warn "this is a test"
– then check the /var/adm/messages file on the remote loghost for the test message:
# tail /var/adm/messages
No comments:
Post a Comment