Connection Logging in Solaris 10 & 11 - Beginner

FamousAv8er · August 9, 2019, 10:36am

Excuse my ignorance as I am very new to working with Solaris.

I'm looking for documentation on how to create a network log in Solaris 10 & 11. I don't wish to edit any of the logs currently the system. I simply want a log that will capture all incoming IP addresses and log them with a time-in and time-out. I would write a script to extract that information from an existing log but I can find no logs on the system with the information I require.

I have found plenty of documents explaining logging for Solaris systems but none I can understand at my level of experience.

hicksd8 · August 9, 2019, 10:58am

Welcome to the forum. You are in the right place.

Do you have experience of other Unix/Linux systems and are just learning Solaris?
I'm trying to judge the level of help you need.

Solaris comes with standard 'logging' much the same as other OS's but what you asking for in Solaris speak is 'auditing'. You are probably not finding it because you are not searching for that.

Oracle Solaris Audit Quick Start

Tell us what else you need.

Neo · August 9, 2019, 10:59am

You might consider netstat and some wrapping code.... if you do not want to dive down too deep.

FamousAv8er · August 9, 2019, 12:30pm

Thank you, it definitely helps to search for the correct terms! So from looking online some, it seems I will need to edit a configuration file to create a new audit. Im having some trouble understanding exactly what everything means just from oracle docs. Now looking for a write-up of how to add another audit. Ideally this audit would create a log that would contain the IP address connecting (incoming only), the time-in, and the time-out. From my understanding this information would be stored in binary. I can convert that to a readable format but hoping there is a way to configure the log to be in readable text (like a tab delimited array).

hicksd8 · August 9, 2019, 12:43pm

You switch audit policies on/off with auditconfig .

Ref Solaris 10: https://docs.oracle.com/cd/E19253-01/816-4557/audittask-18/index.html

Which version of Solaris are you (mainly) using??

Here's the tcpip logging availability Solaris 11:
Logging IP Addresses of All Incoming TCP Connections -
Administering TCP/IP Networks, IPMP, and IP Tunnels in Oracle(R) Solaris 11.2

FamousAv8er · August 9, 2019, 1:14pm

currently the main OS is Solaris 10 but will be working exclusively in Solaris 11 come 2021.

edit:
My sysadmin is telling me all TCP would probably more than I would want. Mainly I want to log all Telnet and SSH connections. Possibly also all FTP connections.

FamousAv8er · September 16, 2019, 2:05pm

I have still yet to find a direct answer on how I would accomplish my goal of logging all incoming connections (ssh, telnet).

MadeInGermany · September 16, 2019, 3:06pm

You do not need auditing.
All system access should go through PAM. The standard PAM logging is already a (wrong) comment in /etc/syslog.conf:
Activated it looks like this:

auth.info                       ifdef(`LOGHOST', /var/log/authlog, @loghost)

Caution, the big space consists of TABs!

kill -HUP or reload/restart the syslogd.

It makes sense to add a rotation to /etc/logadm.conf, for example:

authlog -C 4 -a 'pkill -HUP syslogd' /var/log/authlog

Being in /etc/logadm.conf - I recommend to also rotate wtmpx (for the last command):

/var/adm/wtmpx -C 12 -c -p 1m -s 10m

gull04 · September 17, 2019, 7:02am

Hi,

In it's simplest form the information that you require should be available from the last command, an example of the output would be;

farrells  sshd         10.148.36.183    Fri Sep  6 17:00 - 17:10  (00:09)
farrells  sshd         fbakirmflwd3.eur Fri Sep  6 16:59 - 16:59  (00:00)
farrells  sshd         fbakirmflwd3.eur Fri Sep  6 16:59 - 16:59  (00:00)
mccready  pts/139      10.148.36.190    Fri Sep  6 14:59 - 15:08  (00:09)
mccready  sshd         10.148.36.190    Fri Sep  6 14:59 - 15:08  (00:09)
e421669   pts/202      10.150.134.161   Fri Sep  6 13:28 - 17:27  (03:59)
e421669   sshd         10.150.134.161   Fri Sep  6 13:28 - 17:27  (03:59)
mccready  pts/189      10.148.36.190    Fri Sep  6 12:33 - 12:47  (00:13)
mccready  sshd         10.148.36.190    Fri Sep  6 12:33 - 12:47  (00:13)
mccready  pts/152      10.148.36.190    Fri Sep  6 11:03 - 11:09  (00:06)
mccready  sshd         10.148.36.190    Fri Sep  6 11:03 - 11:09  (00:06)
farrells  pts/76       10.148.36.183    Fri Sep  6 10:55 - 18:12  (07:17)
farrells  sshd         10.148.36.183    Fri Sep  6 10:55 - 18:12  (07:17)
farrells  pts/124      10.148.36.183    Fri Sep  6 09:43 - 18:12  (08:29)
farrells  sshd         10.148.36.183    Fri Sep  6 09:43 - 18:12  (08:29)
oracle    sshd         cathvs-dbadev    Fri Sep  6 07:04 - 07:06  (00:02)
oracle    sshd         cathvs-dbadev    Fri Sep  6 07:04 - 07:04  (00:00)

wtmp begins Fri Sep  6 07:04

You will notice a combination of hostnames and IP Addresses, this is dependent on how the DNS is configured.

Depending on how your logging is setup, you may have to filter the output as there can be more data than you require captured.

Some configuration of the services can be done using inetd and inetadm should you require more details on this then using the man utility is probably where to start.

It should be noted that these files can be very large and any operations on the files can take a significant time, particulary when searching through them and extracting data. The availability of the data may also be limited due to the log rotation policy.

Regards

Gull04

system · May 7, 2020, 1:47pm

Moderator comments were removed during original forum migration.

DiscourseDuck · July 5, 2020, 5:58pm

This topic was automatically closed 59 days after the last reply. New replies are no longer allowed.