Send data via Solaris to your Logstash instance provided by


Ship system log files from Solaris to Logstash

Configure syslog to ship logs from Solaris Systems to Logstash.

Step 1 - Download SSL Certificate

Download file and place in /etc/certs/syslog/keys/ca.d or another directory

sudo mkdir -p /etc/certs/syslog/keys/ca.d
sudo curl -o /etc/certs/syslog/keys/ca.d/

rsyslog trusts these root CA keys to validate the key presented by, preventing man-in-the-middle attacks.

Step 2 - Locate rsyslog config


$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/
$ModLoad lmnsd_gtls
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *

*.* @@your-logstash-host:your-port


  • If possible run the latest minor versions of rsyslog v7 or v8. There are many TLS bugs in past versions.
  • Ensure you have @@ not a single @ infront of the host. This is so TCP is used.

Step 3 - Check which Solaris syslog is enabled

Solaris has a system default syslog that we may need to disable. To check which system log is running use the below command.

svcs system-log
STATE          STIME    FMRI
disabled       11:16:28 svc:/system/system-log:rsyslog
online         11:16:48 svc:/system/system-log:default

Disable system-log:default

svcadm disable svc:/system/system-log:default

Enable rsyslog

svcadm enable svc:/system/system-log:rsyslog

The above commands can also be used to restart rsyslog if changes are made to the config file.

Step 4 - Troubleshooting

If you receive either of the following errors

could not load module '/usr/lib/rsyslog/',
rsyslog error -2078 [try ]


could not load module '/usr/lib/rsyslog/', 
dlopen: /usr/lib/rsyslog/ cannot open shared object file: No such file or directory
[try ]

First, make sure that module actually exists by running ls against the path in the error, such as

ls -la /usr/lib/rsyslog/

Ensure that the user which runs rsyslog has permissions to read’s public key (in the instructions above, /etc/certs/syslog/keys/ca.d/ On many distributions, rsyslog starts as root and then drops to a user. In that case, run chmod 644 /etc/certs/syslog/keys/ca.d/ to let all users read the key file.

Finally, this may appear if you are using $ModLoad lmnsd_gtls to explicitly load the TLS module, and that configuration option occurs before the $DefaultNetstreamDriverCAFile has been defined. Explicitly loading the module is rarely required and the configuration above does not use it. We recommend removing that $ModLoad lmnsd_gtls option and relying on autoloading. If your lmnsd_gtls needs to be explicitly loaded, like because it is in a non-default location, move the $DefaultNetstreamDriverCAFile config line above the $ModLoad line.

expand view

Expand View

compact view

Compact View

Return to Search
Sign Up