Sun Solaris OS
The JSA DSM for Sun Solaris OS collects Syslog events from a Sun Solaris OS system.
To integrate Sun Solaris OS with JSA, complete the following steps:
-
If automatic updates are not enabled, RPMs are available for download from the Juniper Downloads. Download and install the most recent version of the following RPMs on your JSA Console:
-
DSM Common RPM
-
Sun Solaris OS DSM RPM
-
-
Configure your Sun Solaris OS system to send events to JSA. For more information, see Configuring Sun Solaris OS to Communicate with JSA.
-
If JSA does not automatically detect the log source, add a Sun Solaris OS log source on the JSA Console. For more information, seeSyslog Log Source Parameters for Sun Solaris OS.
Sun Solaris OS DSM Specifications
When you configure the Sun Solaris OS, understanding the specifications for the Sun Solaris OS DSM can help ensure a successful integration. For example, knowing what the supported version of Sun Solaris OS is before you begin can help reduce frustration during the configuration process.
The following table describes the specifications for the Sun Solaris OS DSM.
|
Specification |
Value |
|---|---|
|
Manufacturer |
Sun |
|
DSM name |
Sun Solaris OS |
|
RPM file name |
DSM-SunSolarisOS-JSA_versionbuild_number.noarch.rpm |
|
Supported version |
Sun OS 5.8, 5.9 |
|
Protocol |
Syslog |
|
Event format |
All events |
|
Automatically discovered? |
Yes |
|
Includes identity? |
Yes |
|
Includes custom properties? |
No |
Configuring Sun Solaris OS to Communicate with JSA
The Sun Solaris OS DSM for JSA records all relevant Solaris Operating System Authentication Messages events by using the Syslog protocol.
To collect events from Sun Solaris OS, you must configure syslog to forward events to JSA.
-
Log in to the Sun Solaris command-line interface (CLI).
-
Open the /etc/syslog.conf file.
To forward system authentication logs to JSA, add the following line to the file:
*.err;auth.notice;auth.info@<IP_address>Where <IP_address> is the IP address of your JSA Console or Event Collector. Use tabs instead of spaces to format the line.
Tip:Depending on your version of Sun Solaris, you might need to add more log types to the file. Contact your system administrator for more information.
-
Save and exit the file.
-
Type the following command:
kill -HUP `cat /etc/syslog.pid`
Configure a log source in JSA. For more information, see Syslog Log Source Parameters for Sun Solaris OS.
If a Linux log source is created for the Solaris System that is sending events, disable the Linux log source, and then adjust the parsing order. Ensure that the Sun Solaris OS DSM is listed first.
Syslog Log Source Parameters for Sun Solaris OS
If JSA does not automatically detect the log source, add a Sun Solaris OS log source on the JSA Console by using the Syslog protocol.
When you use the Syslog protocol, there are specific parameters that you must configure.
The following table describes the parameters that require specific values to collect Syslog events from Sun Solaris OS:
|
Parameter |
Value |
|---|---|
|
Log Source type |
Sun Solaris Operating System Authentication Messages |
|
Protocol Configuration |
Syslog |
|
Log Source Identifier |
A unique name for the log source. The Log Source Identifier can be any valid value and does not need to reference a specific server. The Log Source Identifier can be the same value as the log source Name. If you have more than one Sun Solaris OS log source that is configured, you might want to identify the first log source as solarisos1, the second log source as solarisos2, and the third log source as solarisos3. |
Sun Solaris OS Sample Event Messages
Use these sample event messages to verify a successful integration with JSA.
Due to formatting issues, paste the message format into a text editor and then remove any carriage return or line feed characters.
Sun Solaris OS Sample Messages when you use the Syslog Protocol
Sample 1: The following sample event message shows that a session to the authentication server was opened in Sun Solaris OS.
<38>Oct 6 10:35:59 sshd[16942]: [ID 800047 auth.info] Accepted keyboard-interactive for testuser from 2001:DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF port 51730 ssh2
|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
login (inferred from the event content) |
|
Source IPv6 |
2001:DB8:FFFF:FFFF:FFFF:FFFF:FFFF:FFFF |
|
Source Port |
51730 |
|
Username |
testuser |
|
Identity Username |
testuser |
|
Device Time |
Oct 6 10:35:59 (extracted from date and time fields) |
Sample 2: The following sample event message shows mail information events in Sun Solaris OS.
<38>Mar 1 17:32:05 10.10.25.2 <22>Mar 1 17:32:00 sendmail[14359]: [ID 801593 mail.info] a1AA111: to=envmgr, ctladdr=envmgr (11011/111100), delay=00:00:00, xdelay=00:00:00, mailer=abcde, pri=11111, relay=[127.0.0.1] [127.0.0.1], dsn=2.0.0, stat=Sent (a1AA111 Message accepted for delivery)
|
JSA field name |
Highlighted values in the event payload |
|---|---|
|
Event ID |
mail.info |
|
Source IP |
10.10.25.2 |
|
Destination IP |
10.10.25.2 |
|
Device Time |
Mar 1 17:32:05 (extracted from date and time fields) |