socklog - on Solaris
Logging on Solaris
Solaris uses a STREAMS file, usually /dev/log to route locally generated syslog messages. See the log(7d) driver manual page for more information. Starting with SunOS 5.6 (Solaris 2.5.1) the syslog(3) library contains support for "doors", a superfast and multithreaded IPC mechanism provided by the Solaris Operating Environment. Using a door file - /etc/.syslog_door up to SunOS 5.7, /var/run/syslog_door on SunOS 5.8 and later, the process listening on the syslog_door gets immediate notification upon receipt of a log message.
Format of Solaris syslog messagesStarting with Solaris 8, Sun introduced a new log message format containing so called message IDs (See syslogd(1) and msgid(1)).
[ID msgid facility.priority] Jul 9 10:13:06 u5 pseudo: [ID 129642 kern.info] pseudo-device: tod0 Jul 9 16:14:51 u5 login: [ID 644210 auth.notice] ROOT LOGIN /dev/consoleAll Solaris versions up to Solaris 7 use the well known, good old syslog messages:
Jul 10 16:24:21 u5 login: ROOT LOGIN /dev/console Jul 10 16:35:19 u5 unix: se0 is /pci@1f,0/pci@1,1/ebus@1/se@14,400000The format is configurable. The log(7d) driver configuration file is /kernel/drv/log.conf. Set the variable "msgid" to either 1 or 0, to en- or disable message ID generation. Note: you must reboot to activate the changes.
socklog does prepend the formated 'facility.priority: ' to every log message, wether messsage IDs are used or not. This makes it easier to write multilog filters. So this is how a log message processed by socklog will look like:
without message IDs:
auth.info: Jul 15 21:40:52 sshd: Accepted publickey for root from 188.8.131.52 port 36621 ssh2with message IDs enabled (default on Solaris 8 and later):
auth.info: Jul 11 14:10:53 sshd: [ID 800047 auth.info] Accepted rsa for ROOT from 184.108.40.206 port 36177I prefer the first method, because it's much less visual clutter, and I don't need message IDs anyway.
Kernel messagesSolaris has no such thing as /proc/kmesg, or /dev/kmesg. Kernel log messages are provided by the same STREAMS device (/dev/log) as normal log messages. All kernel messages are logged with a facility of "kern":
kern.info: unix: avail mem = 250077184 kern.info: unix: root nexus = Sun Ultra 5/10 UPA/PCI (UltraSPARC-IIi 360MHz) kern.info: unix: pcipsy0 at root: UPA 0x1f 0x0The kernel messages does not contain timestamps. It seems that syslog does automatically prepend timestamps to kernel messages, so I might implement this in socklog as well.
dmesg will not work any longer, since it is just a sh shell script wich prints out the last 200 lines from /var/adm/messages. If you need dmesg, you can easily write your own version :-).
Note that if message IDs are enabled, kernel log messages contain the name of the loadable module or driver instead of just "unix:".
kern.info: m64: [ID 308573 kern.info] m64#0: 1280x1024, 4M mappable, rev 4750.7c kern.info: hme: [ID 517527 kern.info] SUNW,hme0 : PCI IO 2.0 (Rev Id = c1) FoundBe sure to enable message IDs to get these.
How to compile socklog on SolarisYou'll have to decide if you wan't "door" support or not.
1. With syslog_door support
echo "gcc -O2 -Wall -DSOLARIS -DWANT_SUN_DOOR" > src/conf-cc echo "gcc -s -lsocket -lnsl -ldoor -lthread" > src/conf-ld2. Without syslog_door support
echo "gcc -O2 -Wall -DSOLARIS" > src/conf-cc echo "gcc -s -lsocket -lnsl" > src/conf-ldThen follow the standard installation instructions.
How to configure socklog for the STREAMS log driver
$ socklog-conf unix acct logacct [/rundir] [/logdir]This will create the following run script:
#!/bin/sh exec 2>&1 exec softlimit -d 2000000 -s 2000000 \ envuidgid nobody socklog sun_stream /dev/log /var/run/syslog_doorIt is possible to run multiple socklog instances, but only one socklog can listen on the door file. If another process is in charge of the door file, socklog will exit immediatly with exit code 100. Simply remove the last argument (path to door file), to start socklog without door support. This way you can run syslogd and socklog parallel, to test your socklog setup.
SupportIf you have problems, questions or suggestions regarding the Solaris support, email me: Lars Uffmann <email@example.com>, or post to the firstname.lastname@example.org mailing list.
Lars Uffmann, <email@example.com> $Id: readme.solaris.html,v 1.2 2002/07/22 07:49:50 pape Exp $