Table of Contents | ||||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Introduction
The tags beginning with dns.
bind bind
identify log events generated by the BIND Name Server. The BIND Name Server generates log messages associated with BIND categories. Devo's dns.bind tags are designed to collect all messages in the queries category messages in one place, and the rest of the messages in another.
...
Table of Contents | ||||
---|---|---|---|---|
|
...
Valid tags and data tables
The full tag will have just three levels. The first two are fixed as dns.bind
. The third level describes the event message content in terms of the event's BIND category and must be either query query
orinfo
. Query events are all those log messages in the queries BIND category. Events with any other BIND category value are assigned info
as the third tag level.
...
technology
...
brand
...
log type/format
...
dns
...
bind
...
query
info
Therefore, the valid tags include:These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
---|---|---|
BIND Name Server |
|
|
|
|
...
|
For more information, read more about Devo tags.
...
You should also make sure that the user running bind
has read and write permissions on the directory and generated log files.
Also, if you are using modules like AppArmor or SELinux, make sure there is an exception for /var/log/bind/*
.
...
How is the data sent to Devo
...
?
You can read more about using rsyslog to monitor and send files to a Devo endpoint in the Sending data to Devo section of our documentation. Here we offer a sample rsyslog configuration file that is set up to monitor the query and bind logs and forward them to a Devo Relay.
...
Code Block |
---|
$template named,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%" # File access $InputFileName /var/log/bind/query.log $InputFileTag dns.bind.query: $InputFileStateFile stat-file1-namedquerylog $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # File access $InputFileName /var/log/bind/bind.log $InputFileTag dns.bind.info: $InputFileStateFile stat-file1-namedinfolog $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # SSL config for DEVO Cloud #$DefaultNetstreamDriver gtls # use gtls netstream driver #$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt #$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt #$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key #$ActionSendStreamDriverMode 1 # require TLS for the connection #$ActionSendStreamDriverAuthMode x509/name #$ActionSendStreamDriverPermittedPeer collector if $syslogtag contains 'dns.bind.' and $syslogfacility-text == 'local7' then @@DEVO-RELAY:PORT;named :syslogtag, contains, "dns.bind." ~ |
DEVO-RELAY
and PORT
are placeholders which you should replace with the IP address and port of your Devo Relay. Or, to send the events directly to the Devo Cloud, you can uncomment the SSL section of the file. In this case, you should replace DEVO-RELAY
and PORT
with the hostname of your Devo domain and port 443.
...