Question regarding newsyslog.conf and Bind logs

J Doe general at nativemethods.com
Thu Aug 25 23:30:23 UTC 2022 

On 2022-08-25 18:04, Greg Choules wrote:
> Hi again J.
> If I understand correctly, you want to enable querylog on a busy 
> recursive server permanently, rotate the files once a day and don't care 
> if you lose some logs because the number of queries on a busy day 
> generates more data than the specified log file is allowed to contain.
> 
> My question has to be, why?
> 
> Firstly, querylog is not an efficient way to record information about 
> what your clients are doing, dnstap is far more efficient if you want a 
> record of some or all information about queries and/or their responses. 
> If using files to retain this information, the rotation choices are the 
> same as for channels. If your server is only handling a few 10s or 100s 
> QPS, querylog will do. But if it's handling 1000s times more than that 
> you will cause it unnecessary extra stress and dnstap is your friend.
> 
> Secondly, if you insist on using querylog (actually, this also applies 
> to dnstap), why not just leave named to rotate the files based on size 
> and number, allowing for the set of files to be easily large enough to 
> contain (say) a week's worth of data. Then you could run a cron job to 
> grep today's logs and do what you want with them. You don't have to 
> worry about other processes sending commands to named to cause something 
> to happen, it just gets on with it.
> 
> /soapbox.

Hi Greg,

Yes, that's correct.  The size limit for the busy day is actually much 
larger than I think it would ever get.  I want a size limit to ensure 
that the query logs are not eating up too much disk space.  The size 
limit of a days' log will never get that high, but if it does, the disk 
is not filled up.  In that case, I understand logging for that day may 
be incomplete because Bind would stop logging if I it did get to 1 G, 
but for this server and the purpose it serves, it's never going to reach 
1 G.

I like to have an upper bound on logs to prevent disk from being filled up.

I am familiar with dnstap but am looking for a more simple solution at 
this time.  I agree it is probably the most correct tool for most jobs, 
but in this case text logs for queries are fine.

I could also do as you suggest with cron and grep, but I'm not concerned 
with sending commands via a separate process (rndc) as that is the 
current method of sending commands to Bind.  The big goal is to have 
compressed logs for 24 hours of queries, holding onto that data for a 
week.  I think that's achievable by newsyslog.

It would be great to know if:

/usr/sbin/rndc reconfig > /dev/null 2>/dev/null || true

...is the correct trigger for named to open a new log.  Can anyone 
provide feedback on that ?

Thanks,

- J

More information about the bind-users mailing list