Configure syslog to ship logs from Solaris Systems to Logstash.
Download star.logit.io.crt file and place in /etc/certs/syslog/keys/ca.d or another directory
sudo mkdir -p /etc/certs/syslog/keys/ca.d sudo curl -o /etc/certs/syslog/keys/ca.d/star.logit.io.crt https://cdn.logit.io/star.logit.io.crt
rsyslog trusts these root CA keys to validate the key presented by logit.io, preventing man-in-the-middle attacks.
$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/star.logit.io.crt $ModLoad lmnsd_gtls $ActionSendStreamDriver gtls $ActionSendStreamDriverMode 1 $ActionSendStreamDriverAuthMode x509/name $ActionSendStreamDriverPermittedPeer *.logit.io *.* @@your-logstash-host:your-port
- If possible run the latest minor versions of rsyslog v7 or v8. There are many TLS bugs in past versions.
- Ensure you have @@ not a single @ infront of the host. This is so TCP is used.
Solaris has a system default syslog that we may need to disable. To check which system log is running use the below command.
svcs system-log STATE STIME FMRI disabled 11:16:28 svc:/system/system-log:rsyslog online 11:16:48 svc:/system/system-log:default
svcadm disable svc:/system/system-log:default
svcadm enable svc:/system/system-log:rsyslog
The above commands can also be used to restart rsyslog if changes are made to the config file.
If you receive either of the following errors
could not load module '/usr/lib/rsyslog/lmnsd_gtls.so', rsyslog error -2078 [try http://www.rsyslog.com/e/2068 ]
could not load module '/usr/lib/rsyslog/lmnsd_gtls.so', dlopen: /usr/lib/rsyslog/lmnsd_gtls.so: cannot open shared object file: No such file or directory [try http://www.rsyslog.com/e/2066 ]
First, make sure that module actually exists by running ls against the path in the error, such as
ls -la /usr/lib/rsyslog/lmnsd_gtls.so
Ensure that the user which runs
rsyslog has permissions to read logit.io’s public key (in the instructions above,
/etc/certs/syslog/keys/ca.d/star.logit.io.crt). On many distributions, rsyslog starts as root and then drops to a user. In that case, run
chmod 644 /etc/certs/syslog/keys/ca.d/star.logit.io.crt to let all users read the key file.
Finally, this may appear if you are using
$ModLoad lmnsd_gtls to explicitly load the TLS module, and that configuration option occurs before the
$DefaultNetstreamDriverCAFile has been defined. Explicitly loading the module is rarely required and the configuration above does not use it. We recommend removing that
$ModLoad lmnsd_gtls option and relying on autoloading. If your
lmnsd_gtls needs to be explicitly loaded, like because it is in a non-default location, move the
$DefaultNetstreamDriverCAFile config line above the