Split view logging?

Gregory Hicks ghicks at hicks-net.net
Thu Nov 19 22:55:37 UTC 2009 

> From: Chris Buxton <cbuxton at menandmice.com>
> Date: Tue, 17 Nov 2009 08:16:18 -0800
> 
> On Nov 17, 2009, at 7:02 AM, John Horne wrote:
> 
> > Hello,
> > 
> > Using BIND 9.5.1, is it possible to configure split view logging -
> > that is, a separate logging channel/category for different views?
> > I'm trying to separate out the queries of our local clients from
> > the external ones.
> 
> No, not using views. The logging statement, like the options
> statement, is a singleton statement type.
> 
> You would have to stand up separate instances of named, with separate
> configs, to achieve your goal.

Well, not exactly...

I have two views:  "trusted" (hosts on my internal LAN), and "external"
(hosts external to my LAN).  I want queries logged from my internal LAN
to /var/log/named.trusted.{0-9} and all other queries to go to
/var/log/named.external.{0-9}.  I've also got some odd sods and trash
going to other log files...

First, create a 'pipe' in the /var/log directory with the name of the
logging file.  (You probably want to do this in the named startup
script.)  Log absolutely EVERYTHING to the log file.

Here are three sample log entries coming from the 'pipe':

19-Nov-2009 14:39:30.701 queries: info: client 127.0.0.1#50776: view trusted: query: reutersukmedia.outbound.ed10.com IN A +

19-Nov-2009 14:40:01.923 queries: info: client 213.91.4.46#59094: view external: query: _policy._domainkey.hicks-net.net IN TXT -EDC

19-Nov-2009 14:41:00.712 queries: info: client 127.0.0.1#50777: view trusted: query: a3.twimg.com IN A +

Then, as another step in the startup script, do a "read while true" on
the pipe.  Pipe that to a

"grep trusted >>named.trusted | grep external >>named.external | tee
named.log >/dev/null"...  

Stick in as many other grep commands as desired.  (Given my setup,
there isn't much going to named.log...)

Voila!  Separate log files by query location.

(The original incantation for the above was from a mail host that
required two sendmail configs where, of course, all sendmail
messages are logged by the system logger.  One config was for an
incoming 'normal' port.  This one fed received mail to a spam scanner
from...someone.  This spam scanner fed the output to a second sendmail
process.  This setup was required because the scanner software didn't
queue mail for delivery.  The setup, while somewhat awkward, worked
fine and lasted a long time...)

You will also have to configure log rotation yourself since the "pipe"
never reaches the stated size.

Regards,
Gregory Hicks

---------------------------------------------------------------------
Gregory Hicks                           | Principal Systems Engineer
                                        | Direct:   408.569.7928

People sleep peaceably in their beds at night only because rough men
stand ready to do violence on their behalf -- George Orwell

The price of freedom is eternal vigilance.  -- Thomas Jefferson

"The best we can hope for concerning the people at large is that they
be properly armed." --Alexander Hamilton

More information about the bind-users mailing list