how to log to a remote logging server (syslog-ng) from a chroot'ed BIND9?
Jens Grigel
jens.grigel at sskm.de
Mon Jul 26 12:31:14 UTC 2004
On Mon, 2004-07-26 at 09:28, OpenMacNews wrote:
> hi all,
>
> i've BIND9 installed in a chroot jail on MacOSX 10.3.4.
>
> 'til now, i've been logging to files in the (chroot)/var/log dir.
>
> i've set up a central/remote logging server (syslog-ng), and would like to capture/send the chroot'ed BIND9's logs to the remote server ...
>
> in considering this scenario, tho, i've managed to cget a bit condused .... so, a couple of questions:
>
> (1) the logging statement in named.conf clearly has the option to capture to a "syslog daemon" channel ...
> but how do i capture to a NON-syslog (i.e., in this case, 'syslog-ng's daemon) daemon?
>
> (2) do i need to capture first to a local syslog-ng daemon instance, then send/x-fer to a remote, or can BIND9 be set up to speak 'directly' to the remote server?
You can not log to a remote syslog server directly from bind.
The bind logging channel syslog will always talk to a local daemon via
the /dev/log socket (at least on Linux, I suppose OSX will not behave
very different).
In a chrooted environment you have to create an additional socket in the
jail when starting syslogd, as bind cannot access the systems default
socket /dev/log from it's jail.
If you're running a local syslog daemon append the option:
-a /bindjail/dev/log
to the syslogd start options to create the socket.
If you're running a local syslog-ng daemon add:
source bindlog { unix-stream("/bindjail/dev/log"); };
to the syslog-ng configuration.
The local syslog/syslog-ng daemon can then forward the messages to the
remote central syslog-ng server.
> (3) am i completely defeating the security of the chroot jail by sending logs _outside_?
>
> any pointers, suggestions, etc -- or better yet a relevant howto URL -- would be very much appreciated!
for bind chroot howto check out:
http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO.html
for syslog-ng faq check out:
http://www.campin.net/syslog-ng/faq.html#chroot
Hope that helps,
Jens
More information about the bind-users
mailing list