Bind Queries log file format
Paul Roberts
paul at callevanetworks.com
Wed Feb 8 01:03:28 UTC 2017
I have to say I agree with the approach of putting this extra info into a separate file. I appreciate this could cause additional problems (disk utilisation, extra I/O's, log rolling etc.) but I would prefer to keep the query log format as stable as possible. I am still mopping up the last big change when ISC added the FQDN reference at the start of each message and I'm getting a little tired of dealing with customers and their broken regex's when log formats change because they've upgraded BIND.
There are also wider implications - there are products out there that hard code the regex and it can't be modified, so that then requires dealing with vendors, submitting bug reports/enhancement requests, providing evidence, business impact statements, also I have to perform root cause analysis for customers why their SIEM is no longer capturing the logs, which can have serious regulatory implications and consequences (banks etc.), then there's testing every upgrade in the lab before we run in production etc., I have enough work on my plate as it is! :-)
Basically there's a whole world of pain out there that can be avoided if you just keep the log format the same. :-)
Thanks,
Paul
-----Original Message-----
From: bind-users [mailto:bind-users-bounces at lists.isc.org] On Behalf Of MURTARI, JOHN
Sent: 06 February 2017 17:05
To: bind-users at lists.isc.org
Subject: RE: Bind Queries log file format
[snip]
> The additional logging info is specifically for the unusual bugs,
> which happen very rarely - asking customers to enable the additional
> logs after a rare event (which might not happen again for months /
> years) means that ISC cannot hunt down and squash the corner case
> bugs...
I can understand the above. ISC needs the data to help debug a once-in-a-blue-moon crash. But many busy sites do not have query logging turned on at all (or only run sampling periods) and would not benefit anyway.
It would seem this debug info should be moved to a separate log used only for that purpose and always 'on'. But that brings up other issues....
I've been a sys admin for many years. If a utility crashes enough to bother me I'll turn on more detailed logging.....
John
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
bind-users at lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
More information about the bind-users
mailing list