Friday, October 1, 2010

solaris syslog and logging from remote sources

I just spent two days trying to figure out why my new server wouldn't store external logs being sent to it like the old one did. I'd forgotten an entire step that is very imporant.
svccfg -s svc:/system/system-log setprop config/log_from_remote = true
This tells the system log to listen on port 514. I was seeing traffic to port 514 when I snooped, the syslog configuration looked right, but I wasn't getting anything stored. Very confusing. Luckily a lot of people have written about this so googling around for a bit showed me the answer relatively quickly.

For the rest of the syslog configuration in /etc/syslog.conf I added local4.none to the /var/adm/messages line to keep anything from the external log from going there. Same with operator and root and all the others. Then added:
local4.debug[tab]/log/file/location

It's very important to remember that all those lines should be tab separated, no spaces at all.

No comments: