[lug] logging with bind 8
Brad Doctor
bdoctor at ps-ax.com
Sat Dec 29 09:25:31 MST 2001
If you are running named *as* named, there may be some issue with file
ownership. I make all of my named-related files owned by named, or
whatever the user is. /var/adm/messages is being written indirectly via
syslog whereas the specific files mentioned below will be written
directly. I think it wants to "own" the files.
With my setup, I have thus:
11 @fw:/var/log/named > ls -al
total 3995
drwxr-xr-x 2 root wheel 512 Mar 28 2001 ./
drwxr-xr-x 4 root wheel 1536 Dec 28 12:00 ../
-rw-r--r-- 1 named named 4076309 Dec 28 23:37 named.debug
The world and group bits can be set to read-only if you like, since named
owns it. Other than that, I have no special considerations for the log
files. The files within /var/named are also owned by user named. Notice
that the directories are owned by root, with my process running as
named. This prevents the process from creating new files, but allows it to
access existing files that it owns. A bit more security in that. Also a
bit more responsibility on your side. If you specify a file below, make
sure that it exists and is owned by named, or whatever user you are running
as, which is hopefully not root :)
-brad
At 09:03 AM 12/29/2001 -0600, charles at lunarmedia.net wrote:
>thanks for the help, however i'm still not seeing anything logging to
>alternative files other than /var/log/messages. even with lame-servers
>specifically addressed as you have below, lame-server errors and still
>showing up in regular syslog output.
>does named need to be started in a certain manner in order to be able to
>allow this type of logging? i even touched all of the related log files
>and gave them 666 perms to see if it was an error in the daemon being able
>to write, but to no avail.
>
>-c
>
>
>
>On Fri, 28 Dec 2001 bdoctor at ps-ax.com wrote:
>
> > This is what I use, should do what you wish:
> >
> > logging {
> > channel default_log {
> > file "/dev/null";
> > severity info;
> > };
> > channel severe_log {
> > file "/var/log/named/named.severe";
> > severity critical;
> > };
> > channel error_log {
> > file "/var/log/named/named.error";
> > severity error;
> > };
> > channel debug_log {
> > file "/var/log/named/named.debug";
> > severity debug;
> > };
> > category default { debug_log; };
> > category config { debug_log; };
> > category parser { debug_log; };
> > category panic { debug_log; };
> > category cname { null; };
> > category lame-servers { null; };
> >
> > };
> >
> >
> > > i'd like to have bind log to its own file within /var/log rather than to
> > > syslog. i have configured:
> > >
> > > // logging
> > > logging {
> > >
> > > // shunt logging to a local file
> > > channel log_to_file {
> > > file "/var/log/named/dnslog";
> > > severity info;
> > > };
> > >
> > > // specify where categories should log
> > > category default { log_to_file; };
> > >
> > > };
> > >
> > > however, upon restarting bind, its still logging everything to
> > > /var/log/messages, which is precisely what i had hoped to avoid. i'm
> > > reading through dns&bind pp147-151. anyone see incorrect syntax right
> off
> > > that sticks out?
> > >
> > > thanks -c
> > >
> > >
> > >
> > > _______________________________________________
> > > Web Page: http://lug.boulder.co.us
> > > Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
> > >
> >
> >
> >
>
>_______________________________________________
>Web Page: http://lug.boulder.co.us
>Mailing List: http://lists.lug.boulder.co.us/mailman/listinfo/lug
Brad Doctor, CISSP
More information about the LUG
mailing list