Syslog with BIND on CentOS

[John Thurston]

Many years ago, when we ran ISC BIND on Solaris, we created a logging 
channel to send the logged-queries to the local syslogd. We then had our 
local syslogd forward most of the traffic on to a central syslog server.

I just tried to re-implement something like that on CentOS, and thought 
I had it working . . until it was exposed to full production traffic 
load. The output to our central syslog server was truncated, and my 
local system log was filled with messages saying jourald was activating 
ratelimiting. !?

My subsequent read of the docs indicates that BIND on CentOS 7, while 
being told it is sending to 'syslogd', is sending to 'journald' which is 
handling all the messages and forwarding them on to 'syslogd'. I don't 
want journald handling my thousands of messages per second from BIND. I 
don't want that information in my journal logs. I just want it out in 
the central syslog server.

Is there some direct way to get the logging channel of BIND pointed 
directly into the local syslogd? (which would then apply its forwarding 
rules to get traffic to the central syslog server)

I thought about trying to rip jourald out entirely, and quickly decided 
that was a path to madness.

The only thing I can come up with is to activate dnstap, and have some 
other process absorbing the data and spewing it directly to the central 
syslogd.

-- 
--
Do things because you should, not just because you can.

John Thurston    907-465-8591
John.Thurston at alaska.gov
Department of Administration
State of Alaska