LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Slackware (http://www.linuxquestions.org/questions/slackware-14/)
-   -   Chroot-BIND Logging (http://www.linuxquestions.org/questions/slackware-14/chroot-bind-logging-4175470870/)

tronayne 07-25-2013 08:27 AM

Chroot-BIND Logging
 
Following the step-by-step in http://en.tldp.org/HOWTO/Chroot-BIND-HOWTO-2.html, I've hit the "huh?" point at the Logging section:
Quote:

2.5 Logging

Unlike a conventional jailbird, BIND can't just scribble its log entries on the walls :-). Normally, BIND logs through syslogd, the system logging daemon. However, this type of logging is performed by sending the log entries to the special socket /dev/log. Since this is outside the jail, BIND can't use it any more. Fortuantely, there are a couple options to work around this.

The Ideal Solution

The ideal solution to this dilemma requires a reasonably recent version of syslogd which supports the -a switch introduced by OpenBSD. Check the manpage for your syslogd(8) to see if you have such a version.

If you do, all you have to do is add the switch ``-a /chroot/named/dev/log'' to the command line when you launch syslogd. On systems which use a full SysV-init (which includes most Linux distributions), this is typically done in the file /etc/rc.d/init.d/syslog. For example, on my Red Hat Linux system, I changed the line

daemon syslogd -m 0

to

daemon syslogd -m 0 -a /chroot/named/dev/log

Interestingly, as of Red Hat 7.2, Red Hat has apparently made this process even easier. There is now a file called /etc/sysconfig/syslog in which extra parameters for syslogd can be defined.

On Caldera OpenLinux systems, they use a daemon launcher called ssd, which reads configuration from /etc/sysconfig/daemons/syslog. You simply need to modify the options line to look like this:

OPTIONS_SYSLOGD="-m 0 -a /chroot/named/dev/log"

Similarly, on SuSE systems, I'm told that the best place to add this switch is in the /etc/rc.config file. Changing the line

SYSLOGD_PARAMS=""

to read

SYSLOGD_PARAMS="-a /chroot/named/dev/log"

should do the trick.

And, last but not least, for FreeBSD 4.3 you can apparently just edit the rc.conf file and put in the following:

syslogd_flags="-s -l /chroot/named/dev/log"

The -s is for security reasons, and is part of the default settings. The -l is a local path on which to put another logging node.

Once you've figured out how to make this change for your system, simply restart syslogd, either by killing it and launching it again (with the extra parameters), or by using the SysV-init script to do it for you:

# /etc/rc.d/init.d/syslog stop
# /etc/rc.d/init.d/syslog start

Once it's been restarted, you should see a ``file'' in /chroot/named/dev called log, that looks something like this:

srw-rw-rw- 1 root root 0 Mar 13 20:58 log

The Other Solutions

If you have an older syslogd, then you'll have to find another way to do your logging. There are a couple programs out there, such as holelogd, which are designed to help by acting as a ``proxy'' and accepting log entries from the chrooted BIND and passing them out to the regular /dev/log socket.

Alteratively, you can simply configure BIND to log to files instead of going through syslog. See the BIND documentation for more details if you choose to go this route.
Question is, what happens if I do something similar to this:
Code:

daemon syslogd -m 0 -a /chroot/named/dev/log
in /etc/rc.d/rc.syslog where, I think, it would look like
Code:

syslogd_start() {
  if [ -x /usr/sbin/syslogd -a -x /usr/sbin/klogd ]; then
    echo -n "Starting sysklogd daemons:  "
    echo -n "/usr/sbin/syslogd "
    /usr/sbin/syslogd -m 0 -a /chroot/named/dev/log
    # prevent syslogd/klogd race condition on SMP kernels
    if ps acx | grep -q udevd ; then
      while [ ! -e /dev/log ] ; do
        sleep 0
      done
    else
      sleep 1
    fi
    echo "/usr/sbin/klogd -c 3 -x"
    # '-c 3' = display level 'error' or higher messages on console
    # '-x' = turn off broken EIP translation
    /usr/sbin/klogd -c 3 -x
  fi
}

I'm trying to run BIND in jail, but I'm wondering if everything will get logged in the jail?

Or is there a better way?

[EDIT]
Other daemons; e.g., hp-upgrade, apcupsd, write to syslog -- seems like that could cause a problem, so maybe figuring out how to have BIND log would be worthwhile?
[/EDIT]

number22 07-25-2013 01:22 PM

I use file option, the top directory is chroot, example file "/logs/named.log", the file is actually in /chroot/logs/named.log; and change severity to debug if you want to log everything.
just create new/modify syslog file in /etc/logrotate.d, if you need back up and gzip log file for backup.

tronayne 07-25-2013 03:36 PM

Never done this, so please bear with me.

Looking at the manual page for named.conf, there is a section:
Code:

LOGGING
          logging {
                channel string {
                    file log_file;
                    syslog optional_facility;
                    null;
                    stderr;
                    severity log_severity;
                    print-time boolean;
                    print-severity boolean;
                    print-category boolean;
                };
                category string { string; ... };
          };

And I'm thinking that I would specify the file as /chroot/logs/named.log (and create the directory and possibly the file) and comment-out or delete the syslog optional_facility line?

number22 07-26-2013 02:16 AM

http://ftp.isc.org/isc/bind9/cur/9.8...html#id2575763

Code:

logging {
              channel simple_log{
                            file "/yourlogdir/yourlogfilename.log" version 3 size 10m;
                            serverity debug 3;
                            print-time yes;
                            print-serverity yes;
              category default {
                            simple_log;
              };
};

under category, you find different subsections (general,network,security,database,etc... beside default) you can add more channels into logging section, if you want to split up logging event to different files.

Code:

logging {
              channel simple_log{
                            file "/yourlogdir/yourlogfilename.log" version 3 size 10m;
                            serverity debug 3;
                            print-time yes;
                            print-serverity yes;
              };
              channel querylog{
                                        file "/yourlogdir/querylog" version 3 size 10m;
                                        severity debug 3;
                                        print-category yes;
                                        print-time yes;
                                        print-severity yes;
                                        };
              category default {
                            simple_log;
              };

              category queries {
                            querylog;
              };
};

within chroot, your log file is under /yourlogdir directory(no need to specify full directory tree.) For your file system, which is located under /chroot/yourlogdir/,so your back system can locate your file for backup.

wildwizard 07-26-2013 04:02 AM

named hasn't required the use of syslogd for years now, so yes you can omit the config line to enable it and just log directly to files you specify.

Also if you want log rotation named will do it itself just look at the end of the lines quoted by number22 and you will see the number of files as 'version #' and the max file size for each as 'size #'

tronayne 07-26-2013 09:10 AM

Thank you @number22, that pretty much explains it (and the example helps a lot, too).


All times are GMT -5. The time now is 04:18 PM.