Turning off syslogd remote logging under Solaris

Under Solaris syslog daemon enables remove logging by default allowing for remote central logging and uses port 514/udp to listen for syslog messages from remote servers. On most sites I have disabled this as an added precaution against DoS attacks on the server itself.

Unless a Server is used as a remote central logging server, it is recommended to disable remote logging under Solaris.

Checking remote logging status

To check if your server syslog daemon is listening for remote logs, simple type:

# netstat -aP udp | grep syslog
*.syslog                           Idle

From the example above, we see that the syslog has a status of Idle, indicating that remove logging is active. To disable this, use the following steps, based on your release of the Solaris OE

Solaris 7 and Solaris 8

Under Solaris 7 and Solaris 8, perform the following steps:

  1. edit the syslog startup script /etc/init.d/syslog using your favourite text editor
  2. Replace the following line:
    /usr/sbin/syslogd >/dev/msglog 2>&1 &
    with:
    /usr/sbin/syslogd -t >/dev/msglog 2>&1 &
    NOTE: -t disables the remote logging in syslogd
  3. Save the file
  4. Restart the syslog daemon
    # /etc/init.d/syslog stop
    # /etc/init.d/syslog start
  5. Rerun the netstat command to confirm that syslog is not listening on any port. The command should not return any output

Solaris 9

Under Solaris 9, we simple modify the /etc/default/syslogd file to disable remote logging:

  1. Edit /etc/default/syslog with your favorite editor
  2. Change the line from
    #LOG_FROM_REMOTE=YES
    to
    LOG_FROM_REMOTE=NO
  3. Save the file
  4. Restart syslogd
    # /etc/init.d/syslog stop
    # /etc/init.d/syslog start
  5. Rerun the netstat command to confirm that syslog is not listening on any port. The command should not return any output

Solaris 10

Under Solaris 10 we again modify the /etc/default/syslogd file but restart the service using svcadm:

  1. Edit /etc/default/syslog with your favorite editor
  2. Change the line from:
    #LOG_FROM_REMOTE=YES
    to:
    LOG_FROM_REMOTE=NO
  3. Save the file
  4. Restart syslogd
    # svcadm -v restart svc:/system/system-log
  5. Rerun the netstat command to confirm that syslog is not listening on any port. The command should not return any output