| Table of Contents | ||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
Introduction
The tags beginning with dns.
...
bind identify log events generated by the BIND Name Server. The BIND Name Server generates log messages associated with BIND categories. Devo's dns.bind tags are designed to collect all messages in the queries category messages in one place, and the rest of the messages in another.
This article covers the following topics:
| Table of Contents | ||||
|---|---|---|---|---|
|
...
Valid tags and data tables
The full tag will have just three levels. The first two are fixed as dns.bind. The third level describes the event message content in terms of the event's BIND category and must be either query query orinfo. Query events are all those log messages in the queries BIND category. Events with any other BIND category value are assigned info as the third tag level.
...
technology
...
brand
...
log type/format
...
- query
- info
Therefore, the valid tags include:These are the valid tags and corresponding data tables that will receive the parsers' data:
Product / Service | Tags | Data tables |
|---|---|---|
BIND Name Server |
|
|
|
|
...
|
For more information, read more about Devo tags.
...
You need to configure BIND to log messages in the queries category to one log file and the rest of the messages to another file. The following excerpt from a BIND configuration file shows how this can be done.
...
/etc/bind/named.conf file extract
| Code Block |
|---|
logging {
channel querylog {
file "/var/log/bind/query.log";
severity info; # Only send events of level "info" or higher
print-category yes;
print-time yes;
print-severity yes;
};
channel defaultlog {
file "/var/log/bind/bind.log";
print-time yes;
print-severity yes;
print-category yes;
};
category default { defaultlog; };
category queries { querylog; };
category lame-servers { null; };
}; |
You should also make sure that the user running bind has read and write permissions on the directory and generated log files.
Also, if you are using modules like AppArmor or SELinux, make sure there is an exception for /var/log/bind/*.
...
How is the data sent to Devo
...
?
You can read more about using rsyslog to monitor and send files to a Devo endpoint in the Sending data to Devo section of our documentation. Here we offer a sample rsyslog configuration file that is set up to monitor the query and bind logs and forward them to a Devo Relay.
...
/etc/rsyslog.d/46-named.conf file
| Code Block |
|---|
$template named,"<%PRI%>%timegenerated% %HOSTNAME% %syslogtag% %msg%" # File access $InputFileName /var/log/bind/query.log $InputFileTag dns.bind.query: $InputFileStateFile stat-file1-namedquerylog $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # File access $InputFileName /var/log/bind/bind.log $InputFileTag dns.bind.info: $InputFileStateFile stat-file1-namedinfolog $InputFileSeverity info $InputFileFacility local7 $InputFilePollInterval 1 $InputFilePersistStateInterval 1 $InputRunFileMonitor # SSL config for DEVO Cloud #$DefaultNetstreamDriver gtls # use gtls netstream driver #$DefaultNetstreamDriverCAFile /etc/rsyslog.d/ca.crt #$DefaultNetstreamDriverCertFile /etc/rsyslog.d/user.crt #$DefaultNetstreamDriverKeyFile /etc/rsyslog.d/user.key #$ActionSendStreamDriverMode 1 # require TLS for the connection #$ActionSendStreamDriverAuthMode x509/name #$ActionSendStreamDriverPermittedPeer collector if $syslogtag contains 'dns.bind.' and $syslogfacility-text == 'local7' then @@DEVO-RELAY:PORT;named :syslogtag, contains, "dns.bind." ~ |
DEVO-RELAY and PORT are placeholders which you should replace with the IP address and port of your Devo Relay. Or, to send the events directly to the Devo Cloud, you can uncomment the SSL section of the file. In this case, you should replace DEVO-RELAY and PORT with the hostname of your Devo domain and port 443.
Finally, make sure the user running rsyslog has read permissions on the directory and the log files generated by BIND.
Table structure
These are the fields displayed in these tables:
| Anchor | ||||
|---|---|---|---|---|
|
...
Related articles
...
info
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
machine |
| vmachine | |
serverdate |
|
| |
category |
|
| |
severity |
|
| |
interface |
|
| |
srcIp |
|
| |
srcPort |
|
| |
name |
|
| |
class |
|
| |
type |
|
| |
dnsServer |
|
| |
message |
|
| |
rawMessage |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
| Anchor | ||||
|---|---|---|---|---|
|
Field | Type | Source field name | Extra fields |
|---|---|---|---|
eventdate |
|
| |
machine |
| vmachine | |
serverdate |
|
| |
srcIp |
|
| |
srcPort |
|
| |
name |
|
| |
class |
|
| |
type |
|
| |
flags |
|
| |
dnsServer |
|
| |
hostchain |
|
| ✓ |
tag |
|
| ✓ |
rawMessage |
|
| ✓ |