Sending data from Solaris using rsyslog


I want to send user audit data (logins, su and sudo usage) from our Solaris 11.4 systems to Graylog. So I installed and configured rsyslog 8.2002.0. This is working in that way, that all information is logged to log files as configured. But not all information written to logs is send to Graylog.

For example there are a log of entires in /var/log/auth.log, but they are not send to Graylog. I get messages with authpriv.notice and kern.warnings.

I read docs, tried a lot things yesterday and was not able to solve this. Does somebody have an idea what I am doing wrong? As far I know, the . means that everything should forwarded?

## rsyslog.conf

*.*  @@my-graylog-system.mycompany.corp:514;RSYSLOG_SyslogProtocol23Format

# High priority messages to the console
*.err                                    /dev/sysmsg

# Next highest priority to the messages file
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages

# Preserve traditional Solaris syslog defaults
*.alert;kern.err;daemon.err              :omusrmsg:operator
*.alert                                  :omusrmsg:root

# Log anything (except auth, cron, daemon & mail) of level info or higher.
*.info;mail.none;auth.none;cron.none     /var/log/misc.log

# kern.notice goes to a file until rsyslog learns how not to clutter
# the console.
kern.notice                              /var/log/kern.log

# Log all the auth, daemon & mail messages in one place.
auth.*                                   /var/log/auth.log
daemon.*                                 /var/log/daemon.log
mail.*                                   /var/log/mail.log

# Everybody gets emergency messages
*.emerg :omusrmsg:*

From what I read in the docs you need to specify the level …so in the case where you want all messages, your level should be .info to catch all information (except debug) and any above (warning,err, crit, alert, emerg).

# Log all the auth, daemon & mail messages in one place.                                   /var/log/auth.log                                 /var/log/daemon.log                                   /var/log/mail.log

I am using rsyslog, not syslog.
* is a wildcard for all levels. I also tried instead of auth.* - same result.

And I think thats not the problem because logging to file is working. There are a lot of messages in /var/log/auth.log. But no message is send to Graylog.
Even not with @@my-graylog-system.mycompany.corp:514;RSYSLOG_SyslogProtocol23Format

Solved by myself. rsyslog is doing fine, and I am dumb :frowning: :scream: :sob:

Long time ago I created a pipeline rule on syslog stream to clean VMware ESXi Logs… this one stole me a lot of hours researching.

rule "syslog - drop level 6 / Informational"
    has_field("level") AND
    syslog_level($message.level) == "Informational"
1 Like

Thanks for posting your solution, much appreciated.