Question regarding newsyslog.conf and Bind logs

Thu Aug 25 22:04:02 UTC 2022

Hi again J.
If I understand correctly, you want to enable querylog on a busy recursive
server permanently, rotate the files once a day and don't care if you lose
some logs because the number of queries on a busy day generates more data
than the specified log file is allowed to contain.

My question has to be, why?

Firstly, querylog is not an efficient way to record information about what
your clients are doing, dnstap is far more efficient if you want a record
of some or all information about queries and/or their responses. If using
files to retain this information, the rotation choices are the same as for
channels. If your server is only handling a few 10s or 100s QPS, querylog
will do. But if it's handling 1000s times more than that you will cause it
unnecessary extra stress and dnstap is your friend.

Secondly, if you insist on using querylog (actually, this also applies to
dnstap), why not just leave named to rotate the files based on size and
number, allowing for the set of files to be easily large enough to contain
(say) a week's worth of data. Then you could run a cron job to grep today's
logs and do what you want with them. You don't have to worry about other
processes sending commands to named to cause something to happen, it just
gets on with it.

/soapbox.

On Thu, 25 Aug 2022 at 22:08, J Doe <general at nativemethods.com> wrote:

> On 2022-08-25 16:46, Richard T.A. Neal wrote:
>
> > Hi J,
> >
> > I'm coming a little late to the party on this one and I think you might
> struggle to do rotation based on both date/time *and* file size, but I use
> logrotate to rotate all of my BIND logs daily, keeping 31 days of logs. And
> you'll see that one of the last things that logrotate does is to call [rndc
> reconfig] which causes BIND to generate fresh log files in place of the
> rotated ones.
> >
> > My BIND logging itself is setup based largely on the configuration
> described here:
> > https://kb.isc.org/docs/aa-01526
> >
> > My logrotate.conf file then looks like this the following, which itself
> is based on this:
> > https://ixnfo.com/en/logrotate-bind9.html
> >
> > #-----------------------------------------
> > # RTAN BIND 9 daily log rotation
> > #
> > # Note that the log file won't rotate until at least one day AFTER you
> set this for the first time.
> > # Eg if you create this file on a Wednesday then they won't rotate for
> the first time until THURSDAY night:
> > #
> https://serverfault.com/questions/375004/logrotate-not-rotating-the-logs
> > #-----------------------------------------
> >
> > /var/log/named/*.log
> > {
> >    olddir /var/log/named/archived
> >    compress
> >    create 0644 bind bind
> >    daily
> >    dateext
> >    missingok
> >    notifempty
> >    rotate 31
> >    sharedscripts
> >    postrotate
> >      /usr/sbin/rndc reconfig > /dev/null 2>/dev/null || true
> >    endscript
> > }
> > #-----------------------------------------
> >
> > Best,
> > Richard.
>
> Hi Richard,
>
> Thank you for your reply.  I am not attempting to configure the server
> so that rotation is based on size *and* time.  The size configuration in
> the logging stanza was more to put an upper limit on a log *before* it
> is rotated.  I could drop the parts that mention 2 versions and
> incrementing the filename and just keep: size 1G.
>
> Let's say it's an extremely busy day and my Bind recursive resolver logs
> are getting really big.  I want the maximum size a day's logs can be
> *before* they are compressed to be 1G.  I am aware that if the server is
> still under heavy load that queries past that point will not be logged.
>
> Then, at the end of the day, newsyslog compresses the logs and rotates
> them so that I keep 7 days worth of compressed logs.
>
> The logrotate your example uses looks good, but I'm on a very minimal
> OpenBSD 7.1 host.  I could add the logrotate package, but newsyslog is
> in the base system and I already use it for doing the same kind of log
> rotation for my firewall logs, so I was hoping to stick to newsyslog.
>
> The postrotate directive in the logrotate example you sent me was what I
> was basing my newsyslog config on, as it uses rndc and not pkill SIGHUP.
>
> I am assuming it would work with newsyslog, or am I incorrect about that ?
>
> Thanks again,
>
> - J
> --
> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
> from this list
>
> ISC funds the development of this software with paid support
> subscriptions. Contact us at https://www.isc.org/contact/ for more
> information.
>
>
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20220825/0d166c9b/attachment.htm>