User's Manual

Solaris 9 Security CX-310-301 28

access to your system. However, if you configure syslog to send its messages to one or more central

logging servers, then this is made infinitely more difficult, if not impossible, thereby preserving your

evidence.

TIP: On any central logging servers, disable ALL services, except syslog on UDP port 514. This prohibits

ANY access to the servers other than the logging messages. Also, configure more than one logging server

to avoid having a single point of failure.

To log centrally, you need to do two things:

1. For each logging server, add an entry in /etc/inet/hosts for the server and also append the alias

loghost to each one

2. Add extra entries for each category/priority to be logged to these servers with the action column

being @hostname, where hostname is the name of a central logging server

So, taking the first two entries from the sample /etc/syslog.conf, and to centrally log these two entries to

servers named bill and ben, the resulting configuration entries would look like this:

*.err;kern.notice;auth.notice /dev/sysmsg

*.err;kern.notice;auth.notice @bill

*.err;kern.notice;auth.notice @ben

*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages

*.err;kern.debug;daemon.notice;mail.crit @bill

*.err;kern.debug;daemon.notice;mail.crit @ben

Using Multiple Files

Instead of having most of the messages being written to /var/adm/messages, you can specify different files

to log different messages. This does make the configuration slightly more complex, but it should be easier

to manage and easier to find specific messages. To log all authorization messages, for example, to a file

named /var/log/authlog, you could add the following entry to /etc/syslog.conf:

auth.* /var/log/authlog

Note that TABS must be used to separate the fields.

Remember to make the syslog daemon re-read its configuration file after making changes by executing:

# pkill –HUP syslogd