Absent Member.
Absent Member.
459 views

Syslog Configuration Issue on SUN Solaris 11

Dears,

We have enabled BSM audit in Solaris 11 machine (client) and which is configured to deliver logs through syslog agent to our agent server. Below is the setps we done to enable audit and syslog. In addition there is no firewall between these two servers.

1- Set the audit flages

root@hostname2:~# /usr/sbin/auditconfig -setflags fw,fd,fc,fm,fr,lo

user default audit flags = lo,fd,fc,fm,fw,fr(0x103b,0x103b)

2 - Demon “auditd” is started

root@hostname2:~# ps -ef | grep audit

root  4683  4250   0 11:43:31 pts/1       0:00 grep audit

root   831     1   0 17:41:39 ?           0:00 /usr/sbin/auditd

3 - Syslog pipe is created by following command

mkfifo /var/tmp/syspipe

root@hostname2:~# ls -lhtr /var/tmp/syspipe

prwxr-xr-x 1 root root           0 Jan  8 10:34 /var/tmp/syspipe

4 - following line added in /etc/syslog.conf file

*.debug /var/tmp/syspipe

5 - Syslog demon restarted

root@hostname2:/var/audit# pkill -HUP syslogd

root@hostname2:/var/audit# ps -ef | grep syslogd

root   806     1   0 17:41:38 ?           0:00 /usr/sbin/syslogd

root  4698  4250   0 11:47:12 pts/1 0:00 grep syslogd

6 - Files are exist in /var/audit directory.

root@hostname2:~# cd /var/audit

root@hostname2:/var/audit# ls -lhtr

total 2414

-rw-r----- 1 root root         288 Sep 26  2013 20130926135234.20130926140722.hostname2

-rw-r----- 1 root root         288 Sep 29  2013 20130926140819.20130929140715.hostname2

-rw-r----- 1 root root         563 Oct  1  2013 20131001064517.20131001083207.hostname2

-rw-r----- 1 root root         341 Oct  6  2013 20131001083333.20131006135422.hostname2

-rw-r----- 1 root root         341 Oct  7  2013 20131006203015.20131007083618.hostname2

-rw-r----- 1 root root         584 Oct 31  2013 20131007090345.20131031125843.hostname2

-rw-r----- 1 root     root 1.9K Dec 29  2013 20131113072600.20131229085715.hostname2

-rw-r----- 1 root root         191 Dec 29  2013 20131229115934.20131229120424.hostname2

-rw-r----- 1 root     root 1.6K Feb 17  2014 20131229120722.20140217090404.hostname2

-rw-r----- 1 root root         191 Feb 18  2014 20140217132536.20140218200735.hostname2

-rw-r----- 1 root root         838 Apr  7  2014 20140218205657.20140407070356.hostname2

-rw-r----- 1 root root         33K Jan  7 17:28 20140407070533.20150107142829.hostname2

-rw-r----- 1 root root          73 Jan  7 17:33 20150107142831.20150107143316.hostname2

-rw-r----- 1 root root         154 Jan  7 17:40 20150107143316.20150107144031.hostname2

-rw-r----- 1 root     root 1.1M Jan  8 11:43 20150107144138.not_terminated.hostname2

7 - following messages appears in /var/adm/message file

Jan  8 11:46:50 hostname2 syslogd: /var/tmp/syspipe - no reader

Jan  8 11:46:50 hostname2 last message repeated 1 time

Jan  8 11:46:54 hostname2 syslogd: /var/tmp/syspipe - no reader

Jan  8 11:46:54 hostname2 last message repeated 1 time

Jan  8 11:47:08 hostname2 syslogd: /var/tmp/syspipe - no reader

8 - Following file exist on /etc/security directory, kindly have a look on it.

root@hostname2:/var/audit# cd /etc/security/

root@hostname2:/etc/security#

root@hostname2:/etc/security# ls

audit_class audit_warn     auth_attr.d dev exec_attr      extra_privs pam_policy priv_names     prof_attr.d

audit_event auth_attr      crypt.conf device_policy  exec_attr.d    kmfpolicy.xml policy.conf    prof_attr      tcsd.conf

Please help me to resolve it

Thanks

Renjith James

Labels (2)
0 Likes
0 Replies
The opinions expressed above are the personal opinions of the authors, not of Micro Focus. By using this site, you accept the Terms of Use and Rules of Participation. Certain versions of content ("Material") accessible here may contain branding from Hewlett-Packard Company (now HP Inc.) and Hewlett Packard Enterprise Company. As of September 1, 2017, the Material is now offered by Micro Focus, a separately owned and operated company. Any reference to the HP and Hewlett Packard Enterprise/HPE marks is historical in nature, and the HP and Hewlett Packard Enterprise/HPE marks are the property of their respective owners.