Configuring SYSLOG on Solaris 10

1. Upgrade Solaris 10 to the latest patch release. Ensure that the cluster patch is downloaded and installed, which will make sure all the patches are installed in one go. Also read the readme document of the cluster install as the cluster might need a reboot and multiple installation attempts to complete the patch installation. Patches are available here: http://sunsolve.sun.com/show.do?target=patches/patch-access If asked for a SunSolve account, use the following: hollyaburns/starent 2. Create a directory on the Solaris box with read/write/execute permissions for all users (777) say /localdisk/st40-syslog #chmod 777 /localdisk/st40-syslog 3. Check if syslog service is running on the Solaris box by issuing the command: [dtulsani@atlantic:~$]svcs | grep system-log online 13:36:18 svc:/system/system-log:default (If you do not see any output for the above command means syslog is not installed on the system.) 4. Display the contents of the file /var/svc/manifest/system/system-log.xml and ensure that the contents match that of this file:

If the contents of both files do not match, then replace the contents of the file on the node with contents of the file attached above. While replacing the original file with this attached one, please ensure the file permissions are kept the same. 5. Edit the file /etc/syslog.conf and add the following lines to the file: local1.error /localdisk/st40-syslog local1.debug /localdisk/st40-syslog

D:\Deepak\Work\ system -log.txt

***IMPORTANT***
a. Please note that the space between local1.error and /localdisk/st40-syslog is a tab character and NOT a blank space. Ensure that while editing the file, a tab character is inserted correctly without which the logging would not take place. Same is the case between local1.debug and /localdisk/st40-syslog. b. If both the above lines are replaced by one single line as: local1.* /localdisk/st40-log

this configuration might not work.

6. Configure the STxx with syslog IPs and the relevant facility as configured in the /etc/syslog.conf file (local1, local2 etc) 7. Reload the Solaris box for the changes to take effect. After restart, you should be able to receive syslogs on the Solaris node.

Tips and Troubleshooting:

a. DO NOT KILL AND RESTART syslogd PROCESS on Solaris 10. Killing the
syslogd process DOES NOT WORK on Solaris 10. These services are managed on Solaris 10 by SMF and if there is a need to restart the syslogd process, the correct method to do that is by issuing these commands: #svcadm disable svc:/system/system-log #svcadm enable svc:/system/system-log

b. After reboot, check the /var/adm/messages file to ensure there are no error
messages related to syslog daemon. If any errors are seen related to syslod daemon, this would mean that syslog daemon is either not initialized/started or has not configured the items appearing in the error messages. Step 3 can be used to verify if syslog daemon has started correctly. If the daemon has started correctly, then please check the entries in /etc/syslog.conf file (remember the tab characters) c. All the above information has been gathered after making syslog work on Solaris 10 using trial and error methods. There are some issues which couldnt be identified but the above explained method should work without any. If the above procedures can be replaced by any other simpler methods, then please feel free to update this document with the same