PREVIOUS db.mysql

NEXT edr.cylance

dns.bind

The events coming from the log generated by the  ISC BIND DNS server are market with the  dns.bind.type tag.

There are two main bind instructions when configuring the server event logs.

  • Category - defines and classifies the type of information you would like to register (e.g. default category, queries, security, panic, etc.) 
  • Channel - defines where should be sent the selected categories (e.g. local syslog, file, etc.)

The type of the tag is fixed and identifies the type and format of the sent event:

  • Query - corresponds with bind category queries and contains the activity log from the DNS queries solved by the server. It may generate a large volume of logs on servers with a high load of DNS traffic. 
  • Info - used for the remaining categories, usually tagged as dns.bind.info

Bind allows sending the events to machines local syslog (allowing you to specify the syslog facility) and to a local file.

Sending via files

The standard method of sending the events is to configure bind to write the logs on the file and rely on another tool (like rsyslog or syslog–ng) to send the events.

Example of the log configuration for BIND

/etc/bind/named.conf file extract

logging {
        channel querylog {
                        file "/var/log/bind/query.log";
                        severity info; #Solo enviar eventos con nivel info o superior
                        print-category yes;
                        print-time yes;
                        print-severity yes;
                        };
        channel defaultlog {
                        file "/var/log/bind/bind.log";
                        print-time yes;
                        print-severity yes;
                        print-category yes;
                        };
        category default { defaultlog; };
        category queries { querylog; };
        category lame-servers { null; };
};
  • In this example, the logs from the default categories (categories without a specific log configuration) and queries (activity logs from the queries solved by the server) are collected in two different files.

It is recommended to check if the user running bind has read/write permissions on the directory and generated log files.

Also, in case of using modules such as AppArmor or SELinux, make sure there is an exception for /var/log/bind/*.

For more information regarding the BIND log configuration, please check the BIND9 logging statement.

Based on the syslog tag mentioned previously, we will use the following file to configure rsyslog:

/etc/rsyslog.d/46-named.conf file

$template named,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%"
 
# File access
$InputFileName /var/log/bind/query.log
$InputFileTag dns.bind.query:  
$InputFileStateFile stat-file1-namedquerylog
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
 
# File access
$InputFileName /var/log/bind/bind.log
$InputFileTag dns.bind.info:
$InputFileStateFile stat-file1-namedinfolog
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
 
# SSL config for logtrust secure relay
#$DefaultNetstreamDriver gtls # use gtls netstream driver
#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt
#$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt
#$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key
#$ActionSendStreamDriverMode 1 # require TLS for the connection
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer collector
 
if $syslogtag contains 'dns.bind.' and $syslogfacility-text == 'local7' then @@LOGTRUST-RELAY:PORT;named
:syslogtag, contains, "dns.bind." ~
  • Replace LOGTRUST-RELAY and PORT with your Devo relay server and port.
  • If the logs are sent to a secure relay, uncomment the configuration file SSL section. 
  • Make sure the user running rsyslog has read permits on the directory and the log files generated by bind.

Have we answered your question?

If not, please contact our technical support team via email by clicking the button below.

CONTACT US

PREVIOUS db.mysql

NEXT edr.cylance