We have named_queries enabled, but in addition to writing to /var/log/named/named_querylog as configured, it’s also writing to /var/log/messages constantly, making it about useless for troubleshooting other, minor DNS issues I have that are beyond the scope of this post.
How do I make this stop?

Actually, I made it stop writing temporarily to /var/log/named/named_querylog because I was getting nervous about disk space.

Now if I can just get it to stop flooding /var/log/messages, I’d reenable the desired log.

Here’s from the named.conf:

[INDENT]logging {

channel “simple_log” {

file “/log/bind.log” versions 3 size 5m;

print-time yes;

print-severity yes;

print-category yes;

};

category default{

“simple_log”;

};

      channel query_logging {

file “/var/log/named/named_querylog” versions 10 size 500M;

      print-time yes;                 // timestamp log entries
    syslog local6; //added by Dave for SEIM test
  };

  category queries {

query_logging;
};

};[/INDENT]

And this is from the syslog-ng.conf file:(ultimately we want to use an external syslog server but right now it’s down so commented out)

[INDENT]

Filter definitions

filter f_named {facility (local6);};
filter f_messages { not facility(news, mail) and not filter(f_iptables); };
(and some other filters here not relevant to the issue)

Enable this and adopt IP to send log messages to a log server.

#destination logserver { udp(“10.111.3.42” port(514)); };
#log { source(src); destination(logserver); };

Logging for Named

destination dnslog { file("/var/log/named/namedquery.log" owner(root) group(root)); };

#log { source(src) ; filter(f_named); destination(dnslog); };
#SEIM Added as destination for dns logs

destination seim { udp(“10.111.254.9” port(514)); };

log { source(src) ; filter(f_named); destination(seim);

All messages except iptables and the facilities news and mail:

destination messages { file("/var/log/messages"); };
log { source(src); filter(f_messages); destination(messages); };

[/INDENT]

I’m thinking something like this: ?

filter f_messages { not facility(news, mail, local6) and not filter(f_iptables, f_named) ; };

On 09/06/2015 21:34, lpphiggp wrote:
[color=blue]

We have named_queries enabled, but in addition to writing to
/var/log/named/named_querylog as configured, it’s also writing to
/var/log/messages constantly, making it about useless for
troubleshooting other, minor DNS issues I have that are beyond the scope
of this post.
How do I make this stop?

Actually, I made it stop writing temporarily to
/var/log/named/named_querylog because I was getting nervous about disk
space.

Now if I can just get it to stop flooding /var/log/messages, I’d
reenable the desired log.

Here’s from the named.conf:

logging {

channel “simple_log” {

file “/log/bind.log” versions 3 size 5m;

print-time yes;

print-severity yes;

print-category yes;

};

category default{

“simple_log”;

};

channel query_logging {

file “/var/log/named/named_querylog” versions 10 size 500M;

print-time yes; // timestamp log entries
syslog local6; //added by Dave for SEIM test
};

category queries {
query_logging;
};

};

And this is from the syslog-ng.conf file:(ultimately we want to use an
external syslog server but right now it’s down so commented out)

Filter definitions

filter f_named {facility (local6);};
filter f_messages { not facility(news, mail) and not
filter(f_iptables); };
(and some other filters here not relevant to the issue)

Enable this and adopt IP to send log messages to a log server.

#destination logserver { udp(“10.111.3.42” port(514)); };
#log { source(src); destination(logserver); };

Logging for Named

destination dnslog { file(“/var/log/named/namedquery.log” owner(root)

group(root)); };
#log { source(src) ; filter(f_named); destination(dnslog); };
#SEIM Added as destination for dns logs

destination seim { udp(“10.111.254.9” port(514)); };

log { source(src) ; filter(f_named); destination(seim);

All messages except iptables and the facilities news and mail:

destination messages { file(“/var/log/messages”); };
log { source(src); filter(f_messages); destination(messages); };

I’m thinking something like this: ?

filter f_messages { not facility(news, mail, local6) and not
filter(f_iptables, f_named) ; };[/color]

Yes you’re on the right track with the above but it should be sufficient
to include f_named within the second filter and not local6 in the
facility test (I can’t recall if including local6 will cause you other
problems). So you would end up with:

filter f_messages { not facility(news, mail) and not
filter(f_iptables, f_named) ; };

HTH.

Simon
SUSE Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

Thanks… only that doesn’t like that syntax on this box… I get an error on trying to restart syslog with that line.
It’s like it refuses to accept two filters.

new-remus:/etc/syslog-ng # rcsyslog start
Starting syslog servicessyntax error at 100
startproc: exit status of parent of /sbin/syslog-ng: 1
failed
new-remus:/etc/syslog-ng #

The conf is:

88 #
89 # acpid messages
90 #
91 filter f_acpid_full { match(’^acpid:’); };
92 filter f_acpid { level(emerg…notice) and match(’^acpid:’); };
93
94 # this is for the old acpid < 1.0.6
95 filter f_acpid_old { match(’^\[acpid\]:’); };
96
97 filter f_netmgm { match(’^NetworkManager:’); };
98
99 #filter f_messages { not facility(news, mail) and not filter(f_iptables); };
100 filter f_messages { not facility(news, mail) and not filter(f_iptables, f_named) ; };
101 filter f_warn { level(warn, err, crit) and not filter(f_iptables); };
102 filter f_alert { level(alert); };
103

On 10/06/2015 16:44, lpphiggp wrote:
[color=blue]

Thanks… only that doesn’t like that syntax on this box… I get an
error on trying to restart syslog with that line.
It’s like it refuses to accept two filters.

new-remus:/etc/syslog-ng # rcsyslog start
Starting syslog servicessyntax error at 100
startproc: exit status of parent of /sbin/syslog-ng: 1

failed
new-remus:/etc/syslog-ng #

The conf is:

88 #
89 # acpid messages
90 #
91 filter f_acpid_full { match(‘^acpid:’); };
92 filter f_acpid { level(emerg…notice) and match(‘^acpid:’); };
93
94 # this is for the old acpid < 1.0.6
95 filter f_acpid_old { match(‘^\[acpid\]:’); };
96
97 filter f_netmgm { match(‘^NetworkManager:’); };
98
99 #filter f_messages { not facility(news, mail) and not
filter(f_iptables); };
100 filter f_messages { not facility(news, mail) and not
filter(f_iptables, f_named) ; };
101 filter f_warn { level(warn, err, crit) and not
filter(f_iptables); };
102 filter f_alert { level(alert); };
103[/color]

Ah sorry I think filter() can only take one filtername so you actually
have to do

filter f_messages { not facility(news, mail) and not filter(f_iptables)
and not filter(f_named) ; };

HTH.

Simon
SUSE Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.

[QUOTE]

Ah sorry I think filter() can only take one filtername so you actually
have to do

filter f_messages { not facility(news, mail) and not filter(f_iptables)
and not filter(f_named) ; };

HTH.

Simon
SUSE Knowledge Partner

If you find this post helpful and are logged into the web interface,
please show your appreciation and click on the star below. Thanks.
------------------------------------------------------------------------[/QUOTE]

Well, no error or failure of syslog this time, but named is still writing to messages.
Wow that’s one determined lil logger.

I might try replace the "and not filter(f_iptables) with just “and not filter(f_named)” because we don’t run a firewall on the server, we have dedicated firewalls all over the place for that.

EDIT Update: Nope… lol. Still floods /var/log/messages with name queries., even with the above; I wonder if the f_named filter isn’t defined wrong somehow.
I’m new to syslog, so this is rather daunting.

Hi *,

why don’t you disable named’s logging to syslog?

[QUOTE]
channel query_logging {

file “/var/log/named/named_querylog” versions 10 size 500M;

      print-time yes;                 // timestamp log entries
    syslog local6; //added by Dave for SEIM test
  };[/QUOTE]

Comment out that channel and you’re clean.

Regards,
Jens

[QUOTE=jmozdzen;28332]Hi *,

why don’t you disable named’s logging to syslog?

Comment out that channel and you’re clean.

Regards,
Jens[/QUOTE]

We still want logging of queries, just to dedicated files:
Ideally, /var/log/named/named_query.log

I just don’t want them in /var/log/messages.

Wouldn’t that kill all logging for named?

Hi lpphiggp,

[QUOTE=lpphiggp;28340]We still want logging of queries, just to dedicated files:
Ideally, /var/log/named/named_query.log

I just don’t want them in /var/log/messages.

Wouldn’t that kill all logging for named?[/QUOTE]

you’re right, I meant to say to comment out the syslog version of the channel:

[QUOTE=lpphiggp;28305]We have named_queries enabled, but in addition to writing to /var/log/named/named_querylog as configured, it’s also writing to /var/log/messages constantly, making it about useless for troubleshooting other, minor DNS issues I have that are beyond the scope of this post.
How do I make this stop?

Actually, I made it stop writing temporarily to /var/log/named/named_querylog because I was getting nervous about disk space.

Now if I can just get it to stop flooding /var/log/messages, I’d reenable the desired log.

Here’s from the named.conf:[INDENT]logging {

channel “simple_log” {

file “/log/bind.log” versions 3 size 5m;

print-time yes;

print-severity yes;

print-category yes;

};

category default{

“simple_log”;

};

      channel query_logging {

file “/var/log/named/named_querylog” versions 10 size 500M;

      print-time yes;                 // timestamp log entries
    syslog local6; //added by Dave for SEIM test
  };

  category queries {

query_logging;
};

};[/INDENT]
[/QUOTE][INDENT]
[/INDENT]

You’re explicitly directing query logging to syslog, but you complain that it does what it’s supposed to do But you made me curious, so I gave it a test run. Here’s the logging part of my test named.conf:

[CODE]logging {
# Log queries to a file limited to a size of 100 MB.
channel query_logging {
file “/var/log/named_querylog”
versions 3 size 100M;
print-time yes; // timestamp log entries
};
category queries {
query_logging;
};

# Or log this kind alternatively to syslog.

channel syslog_queries {

syslog user;

severity info;

};

category queries { syslog_queries; };

    # Log general name server errors to syslog.
    channel syslog_errors {
            syslog user;
            severity error;
    };
    category default { syslog_errors;  };

# Don’t log lame server messages.

category lame-servers { null; };

};[/CODE]

I have the queries logged to (/var/lib/named)/var/log/named_querylog and see no queries logged to syslog, only startup and error messages.

And concerning the “flooding the disk via request logging” part of your initial message: You’re creating up to 10 500 MB files… that is a lot of queries to log, so you might go easy on that sizing. But as you set the limits, you know in advance how much space to keep free in that file system…

Regards,
Jens

[QUOTE=jmozdzen;28358]Hi lpphiggp,

you’re right, I meant to say to comment out the syslog version of the channel:
[INDENT]
[/INDENT]

You’re explicitly directing query logging to syslog, but you complain that it does what it’s supposed to do But you made me curious, so I gave it a test run. Here’s the logging part of my test named.conf:
[/QUOTE]

H Jens, I think you missed the part where I said I’ve commented out the syslog local6 part and just reenabled the file channel but it still writes to /var/log/messages.
It’s haunted. :eek:

[QUOTE=jmozdzen;28358]

[CODE]logging {
# Log queries to a file limited to a size of 100 MB.
channel query_logging {
file “/var/log/named_querylog”
versions 3 size 100M;
print-time yes; // timestamp log entries
};
category queries {
query_logging;
};

# Or log this kind alternatively to syslog.

channel syslog_queries {

syslog user;

severity info;

};

category queries { syslog_queries; };

    # Log general name server errors to syslog.
    channel syslog_errors {
            syslog user;
            severity error;
    };
    category default { syslog_errors;  };

# Don’t log lame server messages.

category lame-servers { null; };

};[/CODE]

I have the queries logged to (/var/lib/named)/var/log/named_querylog and see no queries logged to syslog, only startup and error messages.

And concerning the “flooding the disk via request logging” part of your initial message: You’re creating up to 10 500 MB files… that is a lot of queries to log, so you might go easy on that sizing. But as you set the limits, you know in advance how much space to keep free in that file system…

Regards,
Jens [/QUOTE]

We can accommodate the 10 500MB files so long as named isn’t writing to /var/log/messages as well. Ultimately, management wants much older logs kept for security checks, but we’ll have to get our proper SEIM syslog server running for that to happen.

I’ll revisit this again this afternoon… could you perhaps show me what your /etc/syslog-ng/syslog-ng.conf looks like regarding named and messages?
I’ll emulate those in our environment and see how it goes.

Thanks

Paul

Hi Paul,

sorry for the late reply - I was unavailable a few days on short notice.

[QUOTE=lpphiggp;28365]H Jens, I think you missed the part where I said I’ve commented out the syslog local6 part and just reenabled the file channel but it still writes to /var/log/messages.
It’s haunted. :eek:[/QUOTE]

Please help us by posting named.conf in the state that does create the unwanted log entries to syslog. And please check that none of the included sub-config files contain any according configuration that logs to syslog

[QUOTE=lpphiggp;28365]could you perhaps show me what your /etc/syslog-ng/syslog-ng.conf looks like regarding named and messages?
I’ll emulate those in our environment and see how it goes.[/QUOTE]

We have no special filtering in our central syslog server configuration. And the machine running named has nothing special in its syslogd config, other than sending everything to the central syslogd…

Regards,
Jens