Configuring Log Event Source Series – Sun Solaris (7, 8, 9 & 10), Welcome to another post in the series of configuration instructions in enabling monitored systems to send system logs to a central logging server.

This configuration instruction contains the following information for configuring a Sun Solaris UNIX event source. The tested platform is based on Sun Solaris version 7, 8, 9, and 10 (Security and Authentication messages only).

To configure Sun Solaris 7, 8, & 9:

1.       Configure the Solaris syslog service to log all messages of debug level and higher to your syslog server:

1.       Open the /etc/syslog.conf file with a file editor.

2.       Add the following line, where xxx.xxx.xxx.xxx is the IP address for your logging system:

*.debug @xxx.xxx.xxx.xxx

3.       Save the file.

4.       Force the syslogd service to read the configuration file by sending it the SIGHUP signal.

2.       Allow information from the wtmp/wtmpx database files to be logged. (This allows the system to report on user logins and logouts, connection duration times, and login method, such as Telnet, FTP, rlogin, and so forth.):

1.       Create the nilogger.sh file (with execute permissions set) and add the following lines:

mv /tmp/Last10 /tmp/Last10old
last -10 > /tmp/Last10
diff /tmp/Last10old /tmp/Last10 | grep ‘>’ | logger -p auth.notice -t LAST10

2.       Create a cron job to run the nilogger.sh script every 10 minutes.

3.       Enable tracing of all TCP connections for inetd supported services:

1.       Open the /etc/init.d/inetsvc file in a file editor.

2.       Add -t to the inetd line:

/usr/sbin/inetd -s -t &

3.       Save the file.

4.       Reboot the system to restart the inetd service cleanly.

4.       Enable connection logging for FTP sessions:

1.       Open the /etc/inet/inetd.conf in a file editor.

2.       Add -d -l to the in.ftpd line:

ftp stream tcp6 nowait root /usr/sbin/in.ftpd in.ftpd -d -l

3.       Save the file.

4.       Force the inetd service to read the config file by sending it a SIGHUP signal.

5.       Solaris 7 ONLY: enable message IDs in the syslog messages.

1.       Open the /kernel/drv/log.conf file with a file editor

2.       Add msgid=1 to the logging line:

name= “log” parent= “pseudo” instance=0 msgid=1;

3.       Save the file.

4.       Stop and Start the syslogd service.

# /etc/init.d/syslog stop
# /etc/init.d/syslog start

Sun Solaris Version 10

To configure Sun Solaris:

1.       Configure the Solaris syslog service to log all messages of debug level and higher to your syslog server:

1.       Open the /etc/syslog.conf file with a file editor.

2.       Add the following line, where xxx.xxx.xxx.xxx is the address for your enVision system:

*.debug @

3.       Save the file.

4.       Force the syslogd service to read the configuration file by sending it the SIGHUPsignal.

2.       Allow information from the wtmp/wtmpx database files to be logged (This allows the system to report on user logins and logouts, connection duration times, and login method, such as Telnet, FTP, rlogin, and so forth.):

1.       Create the nilogger.sh file (with execute permissions set) and add the following lines:

mv /tmp/Last10 /tmp/Last10old
last -10 > /tmp/Last10
diff /tmp/Last10old /tmp/Last10 | grep ‘;>’ | logger -p auth.notice -t LAST10

2.       Create a cron job to run the nilogger.sh script every 10 minutes.

3.       Enable tracing of all TCP connections for inetd supported services:

1.       Become superuser or assume a role that includes the Service Management rights profile.

2.       Change the default value of the inetd tcp_trace property to true:

# inetadm –M tcp_trace=true
3.       Verify that the change has been made:

# inetadm -p
NAME=VALUE
bind_addr=””
bind_fail_max=-1
bind_fail_interval=-1
max_con_rate=-1
max_copies=-1
con_rate_offline=-1
failrate_cnt=40
failrate_interval=60
inherit_env=TRUE
tcp_trace=TRUE
tcp_wrappers=FALSE

4.       Enable connection logging for FTP sessions:

1.       Become superuser or assume a role that includes the Service Management rights profile.

2.       Add –l to the exec property of the FTP service:

# inetadm –m svc:/network/ftp:default exec=”/usr/sbin/in.ftpd –a –l”
3.       Verify that the property has changed:

# inetadm -l svc:/network/ftp:default
SCOPE NAME=VALUE

name=”ftp”
endpoint_type=”stream”
proto=”tcp6″
isrpc=FALSE
wait=FALSE
exec=”/usr/sbin/in.ftpd -a -l”
user=”root”
default bind_addr=””
default bind_fail_max=-1

default bind_fail_interval=-1
default max_con_rate=-1
default max_copies=-1
default con_rate_offline=-1
default failrate_cnt=40
default failrate_interval=60
default inherit_env=TRUE
default tcp_trace=TRUE
default tcp_wrappers=FALSE

As always the most important part is to check if the logs are generated and sent to the log collector. Once you see the logs collected, then that is it for configuring your Solaris server.

Watch out for the next topic in our series as we list the instruction for another type of server/device.

Oscar Bravo Jr. 
CISSP, CISA, CCDP, CCNP, CCEE, CCSE, MCSE, MCITP, RSASE
Senior Consultant, Security Solutions Services