0

I am running a chrooted BIND 9.11 server on FreeBSD 11.2 that has a RPZ configured. It is currently logging RPZ hits in a file, but I would like to (also) send them to syslog.

I can see other log entries (not RPZ) from BIND in /var/log/messages (which is the default destination for syslog), so in general logging to syslog is working (also from the chrooted environment).

It seems that every example or tutorial on the Internet is logging RPZ hits to a file... So am am even wondering if RPZ is somehow special and the logs cannot be written to syslog?

Here is the relevant part of my config as it currently stands:

logging{
  channel normal-log {
    // Without a 'file' statement, logs go to syslog
    syslog daemon;
    severity warning;
  };
  [...]
  channel named-rpz-file {
     file "/var/log/rpz.log" versions 3 size 250k;
     severity info;
     print-time yes;
  };
  channel named-rpz-syslog {
     syslog security;
     severity info;
     print-time yes;
  };
  category rpz {
    named-rpz-file;
    default_syslog;
  };
  // everything else
  category default {
    normal-log;
  };
};

As I do see log entries in /var/log/rpz.log and BIND entries in the default syslog destination (/var/log/messages) I assume both are basically working: syslog and RPZ. But for some strange reason the RPZ entries do not show up in syslog.

Is anybody successfully logging RPZ hits to syslog with (a chrooted) BIND 9? Or does anybody have a tip how this can be debugged (is BIND not sending anything to syslog or is syslog "losing" the message)?

scherand
  • 183
  • 8

1 Answers1

0

I think I was able to figure this one out by now.

Apparently BIND does not know about the security syslog facility! Because of that, it kept logging with the default daemon facility and my syslog config did suppress these messages.

See "7.5.1. The Logging Statement" on https://docstore.mik.ua/orelly/networking_2ndEd/dns/ch07_05.htm where security is not mentioned after syslog:

logging {
  [ channel channel_name {
    ( file path_name
       [ versions ( number | unlimited ) ]
       [ size size_spec ]
     | syslog ( kern | user | mail | daemon | auth | syslog | lpr |
                news | uucp | cron | authpriv | ftp |
                local0 | local1 | local2 | local3 |
                local4 | local5 | local6 | local7 )
     | stderr
     | null );

    [ severity ( critical | error | warning | notice |
                 info  | debug [ level ] | dynamic ); ]
    [ print-category yes_or_no; ]
    [ print-severity yes_or_no; ]
    [ print-time yes_or_no; ]
  }; ]

  [ category category_name {
    channel_name; [ channel_name; ... ]
  }; ]
  ...
};

After changing

channel named-rpz-syslog {
    syslog security;
    severity info;
    print-time yes;
};

to

channel named-rpz-syslog {
    syslog local5;
    severity info;
    print-time yes;
};

the log lines suddenly appeared.

scherand
  • 183
  • 8
  • RFC5424 "Facility and Severity values are not normative but often used.". See also https://ftp.isc.org/isc/bind9/cur/9.15/doc/arm/Bv9ARM.ch05.html#logging_grammar which states: Its argument is a syslog facility as described in the syslog man page. Known facilities are kern, user, mail, daemon, auth, syslog, lpr, news, uucp, cron, authpriv, ftp, local0, local1, local2, local3, local4, local5, local6 and local7, however not all facilities are supported on all operating systems. How syslog will handle messages sent to this facility is described in the syslog.conf man page. – Patrick Mevzek Aug 16 '19 at 16:24