Disable syslog "remote logging" under Solaris

Published   Read time 1 min 14 sec(s)   (3043 views).  Solaris  

Under Solaris syslogd enables remote logging by default allowing for central logging and uses port 514/udp to listen for syslog messages from remote servers. On most sites I disable this as an added preventative against DoS attacks on these servers theselves.

Unless a server is being used as a remote central logging system, Solaris best practices recommended disabling remote logging.

Checking remote logging status

To check if syslogd is listening for remote logs, we simply use the netstat command. For example:

# netstat -aP udp | grep syslog
*.syslog                           idle

From the above, we see syslogd is idle indicating that remote logging is active.

To disable remote logging, use the following steps, based on the release of Solaris within your environment.

Solaris 8

  • Edit /etc/init.d/syslog and replace 
    /usr/sbin/syslogd >/dev/msglog 2>&1 &
    with: 
    /usr/sbin/syslogd -t >/dev/msglog 2>&1 &
    The -t options disables remote logging.
  • Save the file, and restart syslogd: 
    # /etc/init.d/syslog stop
# /etc/init.d/syslog start
  • (optionally) rerun the netstat command to confirm syslogd is not listening on any port.

Solaris 9

  • Edit /etc/default/syslog and change the line from: 
    #LOG_FROM_REMOTE=YES
    to 
    LOG_FROM_REMOTE=NO
  • Save the file, and restart syslogd 
    # /etc/init.d/syslog stop
# /etc/init.d/syslog start

Solaris 10

  • Edit /etc/default/syslog, and change the line from: 
    #LOG_FROM_REMOTE=YES
    to: 
    LOG_FROM_REMOTE=NO
  • Save the file, and restart syslogd 
    # svcadm -v restart svc:/system/system-log