Wiki

User Tools

Site Tools

Trace:
networking:bind:enable_logging

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
networking:bind:enable_logging [2020/05/12 15:15] peternetworking:bind:enable_logging [2020/05/12 15:35] (current) – removed peter
Line 1: Line 1:
-====== Networking - Bind - Enable Logging ====== 
- 
-The **rndc** command controls the operation of a name server. 
- 
-If rndc is invoked with no command line options or arguments, it prints a short summary of the supported commands and the available options and their arguments. 
- 
-rndc communicates with the name server over a TCP connection, sending commands authenticated with digital signatures. 
- 
-In the current versions of rndc and bind the only supported authentication algorithm is HMAC-MD5, which uses a shared secret on each end of the connection.  This provides TSIG-style authentication for the command request and the name server's response. 
- 
-All commands sent over the channel must be signed by a key_id known to the server. 
- 
----- 
- 
-===== Turn on logging ===== 
- 
-Type the following command as root to toggle query logging: 
- 
-<code bash> 
-rndc querylog 
-</code> 
- 
----- 
- 
-===== View bind sever query log ===== 
- 
-Once this is done, you can view all logged queries usimg /var/log/messages file. 
- 
-To view those queries, type: 
- 
-<code bash> 
-tail -f /var/log/messages 
-</code> 
- 
-You might need to tail /var/log/syslog instead of /var/log/messages. 
- 
----- 
- 
-===== Turn off logging ===== 
- 
-Type the following command as root to toggle query logging: 
- 
-<code bash> 
-rndc querylog 
-</code> 
- 
- 
-<WRAP info> 
-**NOTE**:  It is important to place all log files into /var/log/named. 
- 
-The reason for this is that AppArmor by default only allows this location in /var/log. 
-</WRAP> 
- 
-If you for instance used an alternative path, say /var/log/bind for the log files then you need to update AppArmor. 
- 
-<code bash> 
-vi /etc/apparmor.d/usr.sbin.named 
-</code> 
- 
-Create the logging master file. 
- 
-<code bash> 
-vi /etc/bind/named.conf.logging 
-</code> 
- 
-and populate as: 
- 
-<file bash /etc/bind/named.conf.logging> 
-logging { 
-  channel default_file { 
-    file "/var/log/named/default.log" versions 3 size 5m; 
-      severity dynamic; 
-      print-time yes; 
-  }; 
-  channel general_file { 
-    file "/var/log/named/general.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel database_file { 
-    file "/var/log/named/database.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel security_file { 
-    file "/var/log/named/security.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel config_file { 
-    file "/var/log/named/config.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel resolver_file { 
-    file "/var/log/named/resolver.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel xfer-in_file { 
-    file "/var/log/named/xfer-in.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel xfer-out_file { 
-    file "/var/log/named/xfer-out.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel notify_file { 
-    file "/var/log/named/notify.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel client_file {  
-    file "/var/log/named/client.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel unmatched_file { 
-    file "/var/log/named/unmatched.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel queries_file { 
-    file "/var/log/named/queries.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel network_file { 
-    file "/var/log/named/network.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel update_file { 
-    file "/var/log/named/update.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel dispatch_file { 
-    file "/var/log/named/dispatch.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel dnssec_file { 
-    file "/var/log/named/dnssec.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
-  channel lame-servers_file { 
-    file "/var/log/named/lame-servers.log" versions 3 size 5m; 
-    severity dynamic; 
-    print-time yes; 
-  }; 
- 
-  category default { default_file; }; 
-  category general { general_file; }; 
-  category database { database_file; }; 
-  category security { security_file; }; 
-  category config { config_file; }; 
-  category resolver { resolver_file; }; 
-  category xfer-in { xfer-in_file; }; 
-  category xfer-out { xfer-out_file; }; 
-  category notify { notify_file; }; 
-  category client { client_file; }; 
-  category unmatched { unmatched_file; }; 
-  category queries { queries_file; }; 
-  category network { network_file; }; 
-  category update { update_file; }; 
-  category dispatch { dispatch_file; }; 
-  category dnssec { dnssec_file; }; 
-  category lame-servers { lame-servers_file; }; 
-}; 
-</file> 
- 
----- 
- 
-Make the logging master file accessible to bind: 
- 
-<code bash> 
-chown root.bind /etc/bind/named.conf.logging 
-</code> 
- 
-and set the permissions on the file: 
- 
-<code bash> 
-chmod 640 /etc/bind/named.conf.logging 
-</code> 
- 
-Add the logging master file into the bind config. 
- 
-<code bash> 
-vi /etc/bind/named.conf> 
-</code> 
- 
-and modify as: 
- 
-<file bash /etc/bind/named.conf> 
-include "/etc/bind/named.conf.logging"; 
-include "/etc/bind/named.conf.options"; 
-include "/etc/bind/named.conf.local"; 
-</file> 
- 
----- 
- 
-It is advisable to create the log files manually: 
- 
-<code bash> 
-touch /var/log/named/querylog.log 
-touch /var/log/named/general.log 
-touch /var/log/named/database.log 
-touch /var/log/named/security.log 
-touch /var/log/named/config.log 
-touch /var/log/named/resolver.log 
-touch /var/log/named/xfer-in.log 
-touch /var/log/named/xfer-out.log 
-touch /var/log/named/notify.log 
-touch /var/log/named/client.log 
-touch /var/log/named/unmatched.log 
-touch /var/log/named/queries.log 
-touch /var/log/named/network.log 
-touch /var/log/named/update.log 
-touch /var/log/named/dispatch.log 
-touch /var/log/named/dnssec.log 
-touch /var/log/named/lame-servers.log 
-</code> 
- 
-Make the files accessible to bind: 
- 
-<code bash> 
-chown bind.bind /var/log/named/* 
-</code> 
- 
-Make the log files writeable: 
- 
-<code bash> 
-chmod 600 /var/log/named/* 
-</code> 
- 
- 
-Restart bind server to apply changes 
- 
-<code bash> 
-systemctl restart bind.service 
-</code> 
- 
- 
-Check that bind is running okay 
- 
-<code bash> 
-systemctl status bind.service 
-</code> 
  
networking/bind/enable_logging.1589296510.txt.gz · Last modified: 2020/07/15 09:30 (external edit)
Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki