Академический Документы
Профессиональный Документы
Культура Документы
Syslogd is the daemon that continuously reads and forwards system messages to the appropriate log
files or users, depending upon the priority of a message and the system facility from which it
originates. The syslogd daemon reads the /etc/syslog.conf to process each and every system message
and direct it to appropriate log file.
The default configuration for syslogd defined to log the system messages ( Warning / Notices / Errors)
within the same host. But sometimes, for ease of administration and troubleshooting, we might
want to configure a single host as as a Centralized loghost and redirect the logs from other solaris
machines to this one centralized host. And configuring such kind of setup is not so difficult. I will
explain you it here.
/etc/syslog.conf
user.alert /dev/sysmsg
Left side part is facility.level and the right side part is the log destination. For
example Below entry will auth.emerg and kern.crit events are logged in the
same place (in the example below, the /logme file).
which will send all debug events to the file /var/debuglog except mail.debug
events.
notice For conditions that are not error conditions, but may
require special handling. A configuration entry with a level value of notice
must appear on a separate line.
# /usr/sbin/syslogd -d
you will see similar output as below if your configuration is valid :
If you have an invalid entries you will see something like below
# tail /var/adm/messages
auth.notice @loghost
or
auth.notice @gurkullogserver
Note : You need to make sure that the hostname is referring the IP of the
centralized log server. Just for verification you can run the command
# ping -s loghost
And make the modifications necessary to the syslog.conf file on the centralized
system you want to log. And please remember that the facility you log to the
remote host will be logged according to how the action field is set up on the
remote system. You must restart syslogd for changes to take effect.
just in case if you want to setup multiple targets to the system messages
If you want to sent the Authentication Messages for both the loghost and local
authlog, you can configure multiple targets by using either one below format.
Or
auth.notice /var/log/authlog
auth.notice @loghost
You can use the same troubleshooting mentioned about, and in addition to that
you can also use the snoop tool to check the syslog traffic between your solaris
hosts and centralized log server , while running a logger command. That will tell
you whether the local syslog really trying to reach the centralized syslog server
or not.
#snoop udp between myserver gurkullogserver
Using device /dev/hme (promiscuous mode)
myserver -> gurkullogserver SYSLOG C port=35725 <37>May 1 10:42:33
myserver -> gurkullogserver SYSLOG C port=35725 <34>May 1 10:45:12
eg:
before:
...
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
...
after:
...
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages
*.err;kern.debug;daemon.notice;mail.crit @jaylogserver
...
Note that the remote server must be configured to accept remote messages. If on Solaris
too, that would be done with this command:
Most commonly they are not the same. To see what kind of messages go to /var/adm/messages
and which go to /var/log/syslog, check /etc/syslog.conf