Send data via Solaris to your Logstash instance provided by Logit.io

Solaris

Ship system log files from Solaris to Logstash

Configure syslog to ship logs from Solaris Systems to Logstash.

Step 1 - Download SSL Certificate

Download star.logit.io.crt file and place in /etc/certs/syslog/keys/ca.d or another directory

https://cdn.logit.io/star.logit.io.crt

sudo mkdir -p /etc/certs/syslog/keys/ca.d
sudo curl -o /etc/certs/syslog/keys/ca.d/star.logit.io.crt https://cdn.logit.io/star.logit.io.crt

rsyslog trusts these root CA keys to validate the key presented by logit.io, preventing man-in-the-middle attacks.

Step 2 - Locate rsyslog config

/etc/rsyslog.conf

$DefaultNetstreamDriverCAFile /etc/rsyslog.d/keys/ca.d/star.logit.io.crt
$ModLoad lmnsd_gtls
$ActionSendStreamDriver gtls
$ActionSendStreamDriverMode 1
$ActionSendStreamDriverAuthMode x509/name
$ActionSendStreamDriverPermittedPeer *.logit.io

*.* @@your-logstash-host:your-port

Notes

  • If possible run the latest minor versions of rsyslog v7 or v8. There are many TLS bugs in past versions.
  • Ensure you have @@ not a single @ infront of the host. This is so TCP is used.

Step 3 - Check which Solaris syslog is enabled

Solaris has a system default syslog that we may need to disable. To check which system log is running use the below command.

svcs system-log
STATE          STIME    FMRI
disabled       11:16:28 svc:/system/system-log:rsyslog
online         11:16:48 svc:/system/system-log:default

Disable system-log:default

svcadm disable svc:/system/system-log:default

Enable rsyslog

svcadm enable svc:/system/system-log:rsyslog

The above commands can also be used to restart rsyslog if changes are made to the config file.

Step 4 - Troubleshooting

If you receive either of the following errors

could not load module '/usr/lib/rsyslog/lmnsd_gtls.so',
rsyslog error -2078 [try http://www.rsyslog.com/e/2068 ]

Or

could not load module '/usr/lib/rsyslog/lmnsd_gtls.so', 
dlopen: /usr/lib/rsyslog/lmnsd_gtls.so: cannot open shared object file: No such file or directory
[try http://www.rsyslog.com/e/2066 ]

First, make sure that module actually exists by running ls against the path in the error, such as

ls -la /usr/lib/rsyslog/lmnsd_gtls.so

Ensure that the user which runs rsyslog has permissions to read logit.io’s public key (in the instructions above, /etc/certs/syslog/keys/ca.d/star.logit.io.crt). On many distributions, rsyslog starts as root and then drops to a user. In that case, run chmod 644 /etc/certs/syslog/keys/ca.d/star.logit.io.crt to let all users read the key file.

Finally, this may appear if you are using $ModLoad lmnsd_gtls to explicitly load the TLS module, and that configuration option occurs before the $DefaultNetstreamDriverCAFile has been defined. Explicitly loading the module is rarely required and the configuration above does not use it. We recommend removing that $ModLoad lmnsd_gtls option and relying on autoloading. If your lmnsd_gtls needs to be explicitly loaded, like because it is in a non-default location, move the $DefaultNetstreamDriverCAFile config line above the $ModLoad line.

expand view

Expand View

compact view

Compact View

Return to Search
Sign up to get started Return to Search