Differences

This shows you the differences between two versions of the page.

--- bind:enable_logging [2016/10/16 13:12] – peter
+++ bind:enable_logging [2019/11/26 21:06] (current) – removed peter
@@ Line 1: / Line 1: @@
-====== Bind - Enable Logging ======
-The **rndc** command controls the operation of a name server.  If rndc is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments.
-rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. In the current versions of rndc and bind the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection. This provides TSIG-style authentication for the command request and the name server's response.  All commands sent over the channel must be signed by a key_id known to the server.
-===== Turn on logging =====
-Type the following command as root to toggle query logging:
-<code bash>
-rndc querylog
-</code>
-===== View bind sever query log =====
-Once this is done, you can view all logged queries usimg /var/log/messages file. To view those queries, type:
-<code bash>
-tail -f /var/log/messages
-</code>
-You might need to tail /var/log/syslog instead of /var/log/messages.
-===== Turn off logging =====
-Type the following command as root to toggle query logging:
-<code bash>
-rndc querylog
-</code>
-**NOTE**:  It is important to place all log files into /var/log/named. The reason for this is that AppArmor by default only allows this location in /var/log.  If you for instance used an alternative path, say /var/log/bind for the log files then you need to update AppArmor.
-<code bash>
-vi /etc/apparmor.d/usr.sbin.named
-</code>
-Create the logging master file.
-<code bash>
-vi /etc/bind/named.conf.logging
-</code>
-and populate as:
-<file bash /etc/bind/named.conf.logging>
-logging {
-  channel default_file {
-    file "/var/log/named/default.log" versions 3 size 5m;
-      severity dynamic;
-      print-time yes;
-  };
-  channel general_file {
-    file "/var/log/named/general.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel database_file {
-    file "/var/log/named/database.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel security_file {
-    file "/var/log/named/security.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel config_file {
-    file "/var/log/named/config.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel resolver_file {
-    file "/var/log/named/resolver.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel xfer-in_file {
-    file "/var/log/named/xfer-in.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel xfer-out_file {
-    file "/var/log/named/xfer-out.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel notify_file {
-    file "/var/log/named/notify.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel client_file {
-    file "/var/log/named/client.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel unmatched_file {
-    file "/var/log/named/unmatched.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel queries_file {
-    file "/var/log/named/queries.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel network_file {
-    file "/var/log/named/network.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel update_file {
-    file "/var/log/named/update.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel dispatch_file {
-    file "/var/log/named/dispatch.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel dnssec_file {
-    file "/var/log/named/dnssec.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  channel lame-servers_file {
-    file "/var/log/named/lame-servers.log" versions 3 size 5m;
-    severity dynamic;
-    print-time yes;
-  };
-  category default { default_file; };
-  category general { general_file; };
-  category database { database_file; };
-  category security { security_file; };
-  category config { config_file; };
-  category resolver { resolver_file; };
-  category xfer-in { xfer-in_file; };
-  category xfer-out { xfer-out_file; };
-  category notify { notify_file; };
-  category client { client_file; };
-  category unmatched { unmatched_file; };
-  category queries { queries_file; };
-  category network { network_file; };
-  category update { update_file; };
-  category dispatch { dispatch_file; };
-  category dnssec { dnssec_file; };
-  category lame-servers { lame-servers_file; };
-};
-</file>
-Make the logging master file accessible to bind:
-<code bash>
-chown root.bind /etc/bind/named.conf.logging
-</code>
-and set the permissions on the file:
-<code bash>
-chmod 640 /etc/bind/named.conf.logging
-</code>
-Add the logging master file into the bind config.
-<code bash>
-vi /etc/bind/named.conf>
-</bash>
-and modify as:
-<file bash /etc/bind/named.conf>
-include "/etc/bind/named.conf.logging";
-include "/etc/bind/named.conf.options";
-include "/etc/bind/named.conf.local";
-</file>
-It is advisable to create the log files manually:
-<code bash>
-touch /var/log/named/querylog.log
-touch /var/log/named/general.log
-touch /var/log/named/database.log
-touch /var/log/named/security.log
-touch /var/log/named/config.log
-touch /var/log/named/resolver.log
-touch /var/log/named/xfer-in.log
-touch /var/log/named/xfer-out.log
-touch /var/log/named/notify.log
-touch /var/log/named/client.log
-touch /var/log/named/unmatched.log
-touch /var/log/named/queries.log
-touch /var/log/named/network.log
-touch /var/log/named/update.log
-touch /var/log/named/dispatch.log
-touch /var/log/named/dnssec.log
-touch /var/log/named/lame-servers.log
-</code>
-Make the files accessible to bind:
-<code bash>
-chown bind.bind /var/log/named/*
-</code>
-Make the log files writeable:
-<code bash>
-chmod 600 /var/log/named/*
-</code>
-Restart bind server to apply changes
-<code bash>
-systemctl restart bind.service
-</code>
-Check that bind is running okay
-<code bash>
-systemctl status bind.service
-</code>