The messages file was over 600mb. Plenty of room on disk.

I submitted a request to have the box rebooted.

The syslog.conf file below is what's in place right now. Not sure if this is original - Splunk was installed on this box so it may have changed it.

After I backed it up, the only changes I made to this file were the 2 paths highlighted in red. Here is the original - my change was simply just a new path - with the tabs retained.

Code:

#ident  "@(#)syslog.conf        1.5     98/12/14 SMI"   /* SunOS 5.0 */
#
# Copyright (c) 1991-1998 by Sun Microsystems, Inc.
# All rights reserved.
#
# syslog configuration file.
#
# This file is processed by m4 so be careful to quote (`') names
# that match m4 reserved words.  Also, within ifdef's, arguments
# containing commas must be quoted.
#
*.err;kern.notice;auth.notice                   /dev/sysmsg
*.err;kern.debug;daemon.notice;mail.crit        /var/adm/messages
*.alert;kern.err;daemon.err                     operator
*.alert                                         root
*.emerg                                         *
# if a non-loghost machine chooses to have authentication messages
# sent to the loghost machine, un-comment out the following line:
#auth.notice                    ifdef(`LOGHOST', /var/log/authlog, @loghost)
mail.debug                      ifdef(`LOGHOST', /var/log/syslog, @loghost)
#
# non-loghost machines will use the following lines to cause "user"
# log messages to be logged locally.
#
ifdef(`LOGHOST', ,
user.err                                        /dev/sysmsg
user.err                                        /var/adm/messages
user.alert                                      `root, operator'
user.emerg                                      *
)

From googling, I read that one of the correct ways to do this was to rename or copy the messages file, then restart the service which is what I did. This is one of the links I used as a guide, although there were many:

Solaris System Admin tips: /var/adm/messages

I'm sure there was some hardening done, but that would have been done before I got access to the box. SYSLOG WAS working, right up until the point where I tried to make the change.

Here are the permissions of the files in the folder:

drwxrwxr-x 5 adm adm 5 Feb 10 15:13 acct
-rw------- 1 uucp bin 0 Aug 25 2008 aculog
drwxr-xr-x 2 adm adm 2 Mar 3 2009 exacct
-r--r--r-- 1 root root 14302092 Apr 1 15:40 lastlog
drwxr-xr-x 2 adm adm 2 Mar 3 2009 log
-rw-r--r-- 1 root root 0 Mar 31 15:38 messages
-rw-r--r-- 1 root root 502826 Mar 26 03:04 messages.0
-rw-r--r-- 1 root root 6971261 Mar 19 03:07 messages.1
-rw-r--r-- 1 root root 618895 Mar 11 03:09 messages.2
-rw-r--r-- 1 root root 1330218 Mar 4 03:00 messages.3
drwxr-xr-x 2 root sys 2 Mar 3 2009 pool
drwxrwxr-x 2 adm sys 2 Mar 3 2009 sa
-r-------- 1 root root 110 Mar 18 22:04 setpass.log
drwxr-xr-x 2 root sys 2 Mar 3 2009 sm.bin
-rw-rw-rw- 1 root bin 0 Aug 25 2008 spellhist
drwxr-xr-x 2 root sys 2 Mar 3 2009 streams
-rw------- 1 root nhbw13t 4493 Apr 1 08:55 sudo.log
-rw------- 1 root root 216 Mar 25 15:37 sulog
-rw-r--r-- 1 root root 0 Feb 10 15:45 syslog
-rw-r--r-- 1 root bin 3348 Apr 1 12:40 utmpx
-rw-r--r-- 1 root root 0 Mar 3 2009 vold.log
drwxr-xr-x 2 root sys 6 Mar 8 14:35 vx
-rw-r--r-- 1 adm adm 630540 Apr 1 15:40 wtmpx

Thanks for the input guys!