Cadet 1st Class
Cadet 1st Class
1020 views

Can't get Solaris OS Logs

Hello,

Can you help me configuring a Solaris OS to send logs to the Arcsight Express, i have create the syslog smartconnector but i can't see any logs from those systems , i have confirmed conectivity and i did som configuracion in the solaris syslog.conf but is not working, can anyone send me some example of syslog.conf configuration.

Thanks!

Labels (3)
0 Likes
7 Replies
Fleet Admiral
Fleet Admiral

Unfortunately there can be a number of issues that could be arising here, so I would start with the basics and work from there:

1) Confirm that the SmartConnector can talk to Express - check in the management for the connector that it is showing as "up" and that it is getting status information. If it shows as not running, there is most likely to be some problem between the communications.

2) Check the receipt of data to the SmartConnector - if the time is wrong, you may be not seeing the log data, or if you are, you are looking at the wrong time frame. Fastest way to look at this is to open an Active Channel and make a small change. So do the following:

     Find the "Last 5 minutes" Active Channel (Shared\All Active Channels\ArcSight Foundation\ArcSight Express

     Drag and drop this to your own personal folder - copy it, DONT move it

     Right mouse click your copied Active Channel and select Edit

     Change the setting for "Use as Timestamp" to Manager Receipt Time

     Click the Sort Fields tab and change the Sort First By to Manager Receipt Time

     Press apply and view the channel - look for Unix or Solaris logs

3) Go to the SmartConnector directly and check out what is going on. Login to the relevant system (Express or other) and go to the connector folder. If you don't know what it is, just do a find for the "agent.log" file. Once you find it (can be in a few locations) run a tail of it ('tail -f agent.log') and see what is going on. Warning, the logs are very verbose, so read them carefully. You are looking for the receiving of log data from the relevant source and you can take a look as to what is happening - and more importantly, if the data is coming in in the first place.

4) What you haven't said is around what method you are using here - is it file, syslog sending or what. It would be good to check what is going on, but how is important and it would make it easier to troubleshoot the issues with a bit more understanding what is going on.

0 Likes
Cadet 1st Class
Cadet 1st Class

Hello Paul,

The smartconnector is on board of the arcsighr express all in one appliance, i did a filter with deviceVendor=Unix and then a active channel and nothing is coming out , i also try to look any log in the Last 5 minutes or Live active channel.

0 Likes
Absent Member.
Absent Member.

what version of Solaris are you using?  If its Version 8 below,  there would be some issues.  Support for this version entails a different approach,

0 Likes
Cadet 1st Class
Cadet 1st Class

Its Solaris 10 and 11

0 Likes
Fleet Admiral
Fleet Admiral

Solaris logs can be done via two main ways: Solaris BSM and the regular syslog logging capabilities.

Solaris' BSM "Basic Security Module" is quite powerful (offering C2 level auditing) but does require a bit of configuration on the server and careful consideration regarding the auditing policy, otherwise some events will get noisy very fast -> Solaris Basic Security Mode (BSM) Auditing

If you are just after getting non-BSM logs into your SIEM, then this should be supported by the Unix syslog parser. To do that you'll need to configure the system to log, and this should help:

For this you need to pick which types of logs you want to send (e.g. auth.* to send all auth facility events, *.* to send all events), and then choose the destination to send the logs to. It sounds like this will be the IP address of your express box:

Facility
user
kern
mail
daemon
auth
lpr
news
uucp
cron
audit
local0-7
mark
*
Level
emerg
alert
crit
err
warning
notice
info
debug
none

Here's the entry you need to add to your syslog server to get it to log all auth events to your express box:

auth.*     @your_express_server_ip_address


and if you want to have everything that is in your /var/adm/messages

*.err;kern.debug;daemon.notice;mail.crit     @your_express_server_ip_address

Then restart your syslog server:

# svcadm restart system-log


Some other resources on this:

solaris - How do I send all information in /var/adm/message file to a remote system? - Unix & Linux Stack Exchange

Sending syslog to remote server | Oracle Community

Solaris 10: security log enhancements for access monitoring | Luca Merello's blog

************************************************************************************

************************************************************************************


Now, I'm assuming you've done all the above and are still no, here are the subsequent troubleshooting steps:


  1. Verify that the Solaris is actually sending logs by doing a TCPdump. You should see events leaving the solaris box to the remote server on port 514.

    1. If no event are being sent, then you need to verify the auditing configuration

    2. If events are being sent, then we've divided the problem space and can now focus on the express side. Move to step 2.


  2. On your Express box, make sure you have port 514 open on your firewall, and do a netstat to ensure that your smartconnector is listening on the correct port.


  3. If all checks passed in step 2, then you likely have an issue with the parser or some blockage from within the connector and the ESM (even though they are on the same system).

    1. Check the connector for caching, and check the logs.

    2. Make sure that the connector is properly registered with the Express/ESM

    3. If still no luck then likely the events are not parsing. Turn on  'Generate Unparsed Events' in your destination and create an active channel and filter not by looking for all events from that connector.

More links re: BSM

Synopsis - man pages section 1M: System Administration Commands

Microsoft TechNet - How to Configure Solaris Syslog

0 Likes
Absent Member.
Absent Member.

Paul ,

I have a Sun solaris Version 8 sever , does it need any specific tuning  on the connector ? any thoughts as I have never onboarded a Solaris before ?

Cheers

Srini

0 Likes
Cadet 1st Class
Cadet 1st Class

Hello Srini,

That depends de method of gather the logs if its the syslog method i belive is supported that version if not then you can do a parser overrider of the sysglog smartconnector .

0 Likes
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.