Disable syslog "remote logging" under Solaris
Under Solaris syslogd
enables remote logging by default allowing for central logging and uses port 514/udp to listen for syslog messages from remote servers. On most sites I disable this as an added preventative against DoS attacks on these servers theselves.
Unless a server is being used as a remote central logging system, Solaris best practices recommended disabling remote logging.
Checking remote logging status
To check if syslogd
is listening for remote logs, we simply use the netstat
command. For example:
# netstat -aP udp | grep syslog *.syslog idle
From the above, we see syslogd
is idle
indicating that remote logging is active.
To disable remote logging, use the following steps, based on the release of Solaris within your environment.
Solaris 8
- Edit
/etc/init.d/syslog
and replace/usr/sbin/syslogd >/dev/msglog 2>&1 &
with:/usr/sbin/syslogd -t >/dev/msglog 2>&1 &
The -t options disables remote logging. - Save the file, and restart syslogd:
# /etc/init.d/syslog stop # /etc/init.d/syslog start
- (optionally) rerun the
netstat
command to confirmsyslogd
is not listening on any port.
Solaris 9
- Edit
/etc/default/syslog
and change the line from:#LOG_FROM_REMOTE=YES
toLOG_FROM_REMOTE=NO
- Save the file, and restart syslogd
# /etc/init.d/syslog stop # /etc/init.d/syslog start
Solaris 10
- Edit
/etc/default/syslog
, and change the line from:#LOG_FROM_REMOTE=YES
to:LOG_FROM_REMOTE=NO
- Save the file, and restart syslogd
# svcadm -v restart svc:/system/system-log