hi

I want to direct my syslog messages (from all routers ans switches) to the remote machine. Currently I stored them in a /logs/cis file using solaris 10 server.

cat /logs/cis

Oct 31 16:01:52 [10.XX.XXX.2.99.245] 30219: 4d00h: %LINK-3-UPDOWN: Interface FastEthernet0/15, changed state to down
Oct 31 16:01:55 [10.XX.XXX.2.13.180] 331: Oct 31 10:31:54.919: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
Oct 31 16:01:55 [10.XX.XXX.2.213.180] 331: Oct 31 10:31:54.919: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
Oct 31 16:01:57 [10.XX.XXX.2.199.245] 30220: 4d00h: %LINK-3-UPDOWN: Interface FastEthernet0/15, changed state to up
Oct 31 16:01:57 [10.XX.XXX.2.199.245] 30220: 4d00h: %LINK-3-UPDOWN: Interface FastEthernet0/15, changed state to up


My requirement is to direct these log to remote syslog server (which use as a backup for syslog messages)

cat /etc/syslog.conf

local7.err /logs/cis
local7.warn /logs/cis
auth.debug /logs/cis

auth.debug ifdef(`LOGHOST', /var/log/authlog, @remotelog)

cat /etc/hosts

XXX.XX.XX.XX <Remote syslog server name> remotelog

But still I cannot receive the logs from my remote machine. How can I achieve this. Please be kind enough to reply me.

Thanks.

hi all,

I want to log all the authentication successfull and failure messages to my syslog server. I received the authentication failure messages.

Oct 31 17:02:05 [10.XX.XXX.1.204.75] 22: Oct 31 11:32:04.607: %SEC_LOGIN-4-LOGIN_FAILED: Login failed [user: ] [Source: 10.XX.XX.XX] [localport: 22] [Reason: Login Authentication Failed] at 17:02:04 CST Mon Oct 31 2011


But I didnt receive the authentication successfull messages.

cat /etc/syslog.conf

auth.* /logs/cis

please help me to achieve this

Thanks

Did you look at the syslog documentation for Solaris 10, or try to look up any of the how-to guides on how to do this??
http://www.softpanorama.org/Logs/syslog.shtml

Not sure what your question is. You say you want to put all your router and switch syslog messages to one server, and say that you CURRENTLY are doing this. Then say you want to put the syslogs onto a remote server...which you said you're already doing. ??????

Do you mean that you want your current central syslog server to be mirrored?? If so, you need to check out syslog-ng for Solaris, which will give you lots of flexibility, and let you do this.

Sorry for inconvenience , I wants to achive this.

I have solaris 10 server which collects syslog from Network Devices. Now I want to direct this to another syslog server.

Oct 31 16:01:52 [10.XX.XXX.2.99.245] 30219: 4d00h: %LINK-3-UPDOWN: Interface FastEthernet0/15, changed state to down
Oct 31 16:01:55 [10.XX.XXX.2.13.180] 331: Oct 31 10:31:54.919: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
Oct 31 16:01:55 [10.XX.XXX.2.213.180] 331: Oct 31 10:31:54.919: %LINK-3-UPDOWN: Interface Cellular0/0/0, changed state to up
Oct 31 16:01:57 [10.XX.XXX.2.199.245] 30220: 4d00h: %LINK-3-UPDOWN: Interface FastEthernet0/15, changed state to up
Oct 31 16:01:57 [10.XX.XXX.2.199.245] 30220: 4d00h: %LINK-3-UPDOWN: Interface FastEthernet0/15, changed state to up


I want same thing to be appeared in another syslog server(these messages). Hope now you clear with my requirement.


Thanks

0 members found this post helpful.

hi all,

I got the things work for me except one issue.Here's the config I used in /etc/syslog.conf

local7.warn @<remote server ip>

Now I can receve the same messages from remote syslog server except one issue.

Here's the original message from solaris 10 - 192.168.1.1

Nov 1 11:17:18 [10.1.1.1.204.75] 58: Nov 1 05:47:17: %SEC_LOGIN-1-QUIET_MODE_ON: Still timeleft for watching failures is 11 secs, [user: ] [Source: XX.XX.XX.XX] [localport: 22] [Reason: Login Authentication Failed] [ACL: sl_def_acl] at 11:17:17 CST Tue Nov 1 2011

But in the remote syslog server message changed slightly. Device ip (10.1.1.1) changed to syslog server ip (192.168.1.1)

Date 11-01-2011
Time 11:17:18
Priority Local7.err
Hostname 192.168.1.1
Message 58: Nov 1 05:47:17: %SEC_LOGIN-1- etc...


But in here this should not be the solaris ip it should be the actual device ip(10.1.1.1) which original message contains.I want to retain original source ip address without change it to forward ip/hostname.

Please provide me a way to achieve this.
Thanks

I did in my first reply...use syslog-ng, instead of standard syslog.

And you could also put two syslog entries in your routers/switches, too, and accomplish the same thing.

Two closely related threads merged and moved to Solaris

hi all,

Thanks a lot for your replies. Im having another syslog server which runs syslog-ng. I modified the /etc/syslog-ng.conf
But Still I didnt receive the logs from the remote syslog server.

source s_all {
internal();
unix-stream("/dev/log");
file("/proc/kmsg" log_prefix("kernel: "));
udp();
};
destination remote_log_server
{
udp("XX.XX.XX.XX" port(514));
};

log { source(s_all); destination(remote_log_server); };

I test the loggins from installing the kiwi syslog server in remote_log_server. It displays a error. " I/O error occured while reading fd='13' ,error=Bad file descriptor (9)"

Thanks

Ok...unless BOTH servers are running syslog-ng, you shouldn't expect any different behavior. Also, again, you could add a second syslog entry on your switches/routers, and that would also solve your problem.