Versions Compared

Old Version 5

changes.mady.by.user Former user

Saved on

compared with

New Version 6

changes.mady.by.user Juan Tomás Alonso Nieto

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.
Table of Contents
minLevel2
maxLevel2
outlinefalse
typeflat
separatorbrackets
printablefalse

Introduction

The tags beginning with dns.bind bind identify log events generated by the BIND Name Server.  The BIND Name Server generates log messages associated with BIND categories. Devo's dns.bind tags are designed to collect all messages in the queries category messages in one place, and the rest of the messages in another.

...

Table of Contents
maxLevel2
minLevel2

...

Valid tags and data tables

The full tag will have just three levels. The first two are fixed as dns.bind. The third level describes the event message content in terms of the event's BIND category and must be either query  query orinfo. Query events are all those log messages in the queries BIND category. Events with any other BIND category value are assigned info as the third tag level.

...

technology

...

brand

...

log type/format

...

dns

...

bind

...

  • query

  • info

Therefore, the valid tags include:These are the valid tags and corresponding data tables that will receive the parsers' data:

Product / Service

Tags

Data tables

BIND Name Server

dns.bind.info

dns.bind.info

dns.bind.query

dns.bind.

...

query

For more information, read more about Devo tags.

...

You should also make sure that the user running bind has read and write permissions on the directory and generated log files. 

Also, if you are using modules like AppArmor or SELinux, make sure there is an exception for /var/log/bind/*.

...

How is the data sent to Devo

...

?

You can read more about using rsyslog to monitor and send files to a Devo endpoint in the Sending data to Devo section of our documentation. Here we offer a sample rsyslog configuration file that is set up to monitor the query and bind logs and forward them to a Devo Relay.

...

Code Block
$template named,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%"
 
# File access
$InputFileName /var/log/bind/query.log
$InputFileTag dns.bind.query:  
$InputFileStateFile stat-file1-namedquerylog
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
 
# File access
$InputFileName /var/log/bind/bind.log
$InputFileTag dns.bind.info:
$InputFileStateFile stat-file1-namedinfolog
$InputFileSeverity info
$InputFileFacility local7
$InputFilePollInterval 1
$InputFilePersistStateInterval 1
$InputRunFileMonitor
 
# SSL config for DEVO Cloud
#$DefaultNetstreamDriver gtls # use gtls netstream driver
#$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt
#$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt
#$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key
#$ActionSendStreamDriverMode 1 # require TLS for the connection
#$ActionSendStreamDriverAuthMode x509/name
#$ActionSendStreamDriverPermittedPeer collector
 
if $syslogtag contains 'dns.bind.' and $syslogfacility-text == 'local7' then @@DEVO-RELAY:PORT;named
:syslogtag, contains, "dns.bind." ~

DEVO-RELAY and PORT are placeholders which you should replace with the IP address and port of your Devo Relay. Or, to send the events directly to the Devo Cloud, you can uncomment the SSL section of the file. In this case, you should replace DEVO-RELAY and PORT with the hostname of your Devo domain and port 443. 

...