Jump to content

How do you enable query logging on DNS Server?


shadowmac
 Share

Recommended Posts

You must edit your named.conf file and the standard logging statement looks like this







logging {





channel querylog{





            file "/var/log/querylog";

            severity debug 10;

            print-category yes;

            print-time yes;

            print-severity yes;

            };

category queries { querylog;};

};





BUT a more detailed statement would be to break up into separate channels and get more detailed like this








logging {

    channel default_file {

        file "/var/log/named/default.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel general_file {

        file "/var/log/named/general.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel database_file {

        file "/var/log/named/database.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel security_file {

        file "/var/log/named/security.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel config_file {

        file "/var/log/named/config.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel resolver_file {

        file "/var/log/named/resolver.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel xfer-in_file {

        file "/var/log/named/xfer-in.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel xfer-out_file {

        file "/var/log/named/xfer-out.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel notify_file {

        file "/var/log/named/notify.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel client_file {

        file "/var/log/named/client.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel unmatched_file {

        file "/var/log/named/unmatched.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel queries_file {

        file "/var/log/named/queries.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel network_file {

        file "/var/log/named/network.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel update_file {

        file "/var/log/named/update.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel dispatch_file {

        file "/var/log/named/dispatch.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel dnssec_file {

        file "/var/log/named/dnssec.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };

    channel lame-servers_file {

        file "/var/log/named/lame-servers.log" versions 3 size 5m;

        severity dynamic;

        print-time yes;

    };





    category default { default_file; };

    category general { general_file; };

    category database { database_file; };

    category security { security_file; };

    category config { config_file; };

    category resolver { resolver_file; };

    category xfer-in { xfer-in_file; };

    category xfer-out { xfer-out_file; };

    category notify { notify_file; };

    category client { client_file; };

    category unmatched { unmatched_file; };

    category queries { queries_file; };

    category network { network_file; };

    category update { update_file; };

    category dispatch { dispatch_file; };

    category dnssec { dnssec_file; };

    category lame-servers { lame-servers_file; };

};




 




Link to comment
Share on other sites

A great resource is PRO DNS and BIND book





logging {



   [ channel channel_name {


     ( file path name


         [ versions ( number | unlimited ) ]


         [ size size_spec ]


       | syslog syslog_facility


       | stderr


       | null );


     [ severity (critical | error | warning | notice |


                 info | debug | dynamic ); ]


     [ print-category yes | no; ]


     [ print-severity yes | no; ]


     [ print-time yes | no; ]


   }; ]


   [ category category_name {


     channel_name ; [ channel_name ; ... ]


   }; ]


   ...


};


 





 


 



channel channel_name



BIND will accept multiple channel definitions in a single logging statement. 'channel_name' is normally written as a non-space name, for instance, my_channel but it can be written as a quoted string, for instance, "my channel". It is an arbitrary but unique name used to associate the category statement with this channel definition or it may take one of the standard (pre-defined) values below:



  • "default_syslog" log everything to syslog (default logging destination)

  • "default_debug"

  • "default_stderr" output to stderr (normally the console)

  • "null" discard all log entries (write to /dev/null)

file



'path_name' is a quoted string defining the absolute path to the logging file, for example, "/var/log/named/namedlog.log". From the grammar above 'file', 'syslog', 'stderr' and 'null' are mutually exclusive for a 'channel'. 



 



versions



'versions' may take the parameter 'number' or 'unlimited' and defines the number of file versions that should be kept by BIND. Version files are created by BIND by appending .0, .1 etc to the file named defined by the file parameter. Files are 'rolled' (renamed or overwritten) so .0 will always contain the last log information prior to commencing the new log., .1 the next and so on. 'unlimited' currently implies 'versions 99'. Unless a size parameter is used new log versions will only be 'rolled' when BIND is restarted. If no versions statement is defined a single log file of unlimited size is used and on restart new data is appended to the defined file. This can get to be a very big file. 



 



size size_spec



'size' allows you to define a limit to the file size created. A numeric only size_spec value is assumed to be the size in bytes, you may use the short forms k or K, m or M, g or G e.g. 25m = 25000000. size and versions are related in the following way:



  • If you specify a size value and NO versions parameter when the size limit is reached BIND will stop logging until the file size is reduced to below the threshold defined i.e. by deleting or truncating the file.

  • If you specify a size AND a versions parameter the log files will be 'rolled' (renamed and overwritten as defined in the versions section above) when the size limit is reached.

  • If you specify NO size AND a versions parameter the log files will be 'rolled' (renamed and overwritten as defined in the versions section above) only when BIND is restarted.

syslog syslog_facility



'syslog' indicates that this channel will use syslogd logging features (as defined in syslog.conf). The syslog_facility is the facility definition for 'syslog' and may be found in syslog's man pages. From the grammar above 'file', 'syslog', 'stderr' and 'null' are mutually exclusive for a 'channel'. 



 



stderr



'stderr' writes to the current standard out and would typically be only used for debug purposes. From the grammar above 'file', 'syslog', 'stderr' and 'null' are mutually exclusive for a 'channel'. 



 



null



'null' writes to /dev/null - the bit bucket, nowhere. It does not produce a log. From the grammar above 'file', 'syslog', 'stderr' and 'null' are mutually exclusive for a 'channel'. 



 



severity



Severity - Description



critical - only critical errors.



error -  error and above.



warning - warning and above.



notice - notice and above.



info - info and above - log starting to get chatty.



debug - debug and above. Various debug levels can be defined with 'debug 0' meaning no debugging.



dynamic - debug and above. Means assume the global debug level defined by either the command line parameter -d or by running rndc trace  



 



print-time yes | no



Controls whether the date and time are written to the output channel (yes) or not (no). The default is 'no'. 



 



print-severity yes | no



Controls whether the severity level is written to the output channel (yes) or not (no). The default is 'no'. 



 



print-category yes | no



Controls whether the severity level is written to the output channel (yes) or not (no). The default is 'no'. 



 



category category_name



Controls what categories are logged to the various defined or default 'channel_names'. The category_name (a quoted string, for example, "default") may take one of the following values:



 



Example:







logging{

  channel simple_log {

    file "/var/log/named/bind.log" versions 3 size 5m;

    severity warning;

    print-time yes;

    print-severity yes;

    print-category yes;

  };

  category default{

    simple_log;

  };

};




Link to comment
Share on other sites

 Share

×
×
  • Create New...