Sending data from Solaris using rsyslog

Hello,

I want to send user audit data (logins, su and sudo usage) from our Solaris 11.4 systems to Graylog. So I installed and configured rsyslog 8.2002.0. This is working in that way, that all information is logged to log files as configured. But not all information written to logs is send to Graylog.

For example there are a log of auth.info entires in /var/log/auth.log, but they are not send to Graylog. I get messages with authpriv.notice and kern.warnings.

I read docs, tried a lot things yesterday and was not able to solve this. Does somebody have an idea what I am doing wrong? As far I know, the . means that everything should forwarded?

## rsyslog.conf

*.*  @@my-graylog-system.mycompany.corp:514;RSYSLOG_SyslogProtocol23Format

# High priority messages to the console
*.err                                    /dev/sysmsg

# Next highest priority to the messages file
*.err;kern.debug;daemon.notice;mail.crit /var/adm/messages

# Preserve traditional Solaris syslog defaults
*.alert;kern.err;daemon.err              :omusrmsg:operator
*.alert                                  :omusrmsg:root

# Log anything (except auth, cron, daemon & mail) of level info or higher.
*.info;mail.none;auth.none;cron.none     /var/log/misc.log

# kern.notice goes to a file until rsyslog learns how not to clutter
# the console.
kern.notice                              /var/log/kern.log

# Log all the auth, daemon & mail messages in one place.
auth.*                                   /var/log/auth.log
daemon.*                                 /var/log/daemon.log
mail.*                                   /var/log/mail.log

# Everybody gets emergency messages
*.emerg :omusrmsg:*

From what I read in the docs you need to specify the level …so in the case where you want all messages, your level should be .info to catch all information (except debug) and any above (warning,err, crit, alert, emerg).

# Log all the auth, daemon & mail messages in one place.
auth.info                                   /var/log/auth.log
daemon.info                                 /var/log/daemon.log
mail.info                                   /var/log/mail.log

I am using rsyslog, not syslog.
* is a wildcard for all levels. I also tried auth.info instead of auth.* - same result.

And I think thats not the problem because logging to file is working. There are a lot of auth.info messages in /var/log/auth.log. But no auth.info message is send to Graylog.
Even not with auth.info @@my-graylog-system.mycompany.corp:514;RSYSLOG_SyslogProtocol23Format

Solved by myself. rsyslog is doing fine, and I am dumb :frowning: :scream: :sob:

Long time ago I created a pipeline rule on syslog stream to clean VMware ESXi Logs… this one stole me a lot of hours researching.

rule "syslog - drop level 6 / Informational"
when
    has_field("level") AND
    syslog_level($message.level) == "Informational"
then
    drop_message();
end
1 Like

Nice.
Thanks for posting your solution, much appreciated.