diff options
Diffstat (limited to 'logging')
-rw-r--r-- | logging | 214 |
1 files changed, 214 insertions, 0 deletions
diff --git a/logging b/logging new file mode 100644 index 000000000000..c598f640e32c --- /dev/null +++ b/logging @@ -0,0 +1,214 @@ +logging { + channel default_log { + file "/var/named/logs/default.log" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel auth_servers_log { + file "/var/named/logs/auth_servers.log" versions 100 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel dnssec_log { + file "/var/named/logs/dnssec.log" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel zone_transfers_log { + file "/var/named/logs/zone_transfers.log" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel ddns_log { + file "/var/named/logs/ddns.log" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel client_security_log { + file "/var/named/logs/client_security.log" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel rate_limiting_log { + file "/var/named/logs/rate_limiting.log" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel rpz_log { + file "/var/named/logs/rpz.log" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; + channel dnstap_log { + file "/var/named/logs/dnstap.log" versions 3 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity info; + }; +// +// If you have the category ‘queries’ defined, and you don’t want query logging +// by default, make sure you add option ‘querylog no;’ - then you can toggle +// query logging on (and off again) using command ‘rndc querylog’ +// +// channel queries_log { +// file "/var/named/logs/queries.log" versions 600 size 20m; +// print-time yes; +// print-category yes; +// print-severity yes; +// severity info; +// }; +// +// This channel is dynamic so that when the debug level is increased using +// rndc while the server is running, extra information will be logged about +// failing queries. Other debug information for other categories will be +// sent to the channel default_debug (which is also dynamic), but without +// affecting the regular logging. +// + channel query-errors_log { + file "/var/named/logs/query.log-errors" versions 5 size 20m; + print-time yes; + print-category yes; + print-severity yes; + severity dynamic; + }; +// +// This is the default syslog channel, defined here for clarity. You don’t +// have to use it if you prefer to log to your own channels. +// It sends to syslog’s daemon facility, and sends only logged messages +// of priority info and higher. +// (The options to print time, category and severity are non-default.) +// + channel default_syslog { + print-time yes; + print-category yes; + print-severity yes; + syslog daemon; + severity info; + }; +// +// This is the default debug output channel, defined here for clarity. You +// might want to redefine the output destination if it doesn’t fit with your +// local system administration plans for logging. It is also a special +// channel that only produces output if the debug level is non-zero. +// + channel default_debug { + print-time yes; + print-category yes; + print-severity yes; + file "named.run"; + severity dynamic; + }; +// +// Log routine stuff to syslog and default log: +// + category default { default_syslog; default_debug; default_log; }; + category config { default_syslog; default_debug; default_log; }; + category dispatch { default_syslog; default_debug; default_log; }; + category network { default_syslog; default_debug; default_log; }; + category general { default_syslog; default_debug; default_log; }; +// +// From BIND 9.12 and newer, you can direct zone load logging to another +// channel with the new zoneload logging category. If this would be useful +// then firstly, configure the new channel, and then edit the line below +// to direct the category there instead of to syslog and default log: +// + category zoneload { default_syslog; default_debug; default_log; }; +// +// Log messages relating to what we got back from authoritative servers during +// recursion (if lame-servers and edns-disabled are obscuring other messages +// they can be sent to their own channel or to null). Sometimes these log +// messages will be useful to research why some domains don’t resolve or +// don’t resolve reliably +// + category resolver { auth_servers_log; default_debug; }; + category cname { auth_servers_log; default_debug; }; + category delegation-only { auth_servers_log; default_debug; }; + category lame-servers { auth_servers_log; default_debug; }; + category edns-disabled { auth_servers_log; default_debug; }; +// +// Log problems with DNSSEC: +// + category dnssec { dnssec_log; default_debug; }; +// +// Log together all messages relating to authoritative zone propagation +// + category notify { zone_transfers_log; default_debug; }; + category xfer-in { zone_transfers_log; default_debug; }; + category xfer-out { zone_transfers_log; default_debug; }; +// +// Log together all messages relating to dynamic updates to DNS zone data: +// + category update{ ddns_log; default_debug; }; + category update-security { ddns_log; default_debug; }; +// +// Log together all messages relating to client access and security. +// (There is an additional category ‘unmatched’ that is by default sent to +// null but which can be added here if you want more than the one-line +// summary that is logged for failures to match a view). +// + category client{ client_security_log; default_debug; }; + category security { client_security_log; default_debug; }; +// +// Log together all messages that are likely to be related to rate-limiting. +// This includes RRL (Response Rate Limiting) - usually deployed on authoritative +// servers and fetches-per-server|zone. Note that it does not include +// logging of changes for clients-per-query (which are logged in category +// resolver). Also note that there may on occasions be other log messages +// emitted by the database category that don’t relate to rate-limiting +// behaviour by named. +// + category rate-limit { rate_limiting_log; default_debug; }; + category spill { rate_limiting_log; default_debug; }; + category database { rate_limiting_log; default_debug; }; +// +// Log DNS-RPZ (Response Policy Zone) messages (if you are not using DNS-RPZ +// then you may want to comment out this category and associated channel) +// +// category rpz { rpz_log; default_debug; }; +// +// Log messages relating to the "dnstap" DNS traffic capture system (if you +// are not using dnstap, then you may want to comment out this category and +// associated channel). +// +// category dnstap { dnstap_log; default_debug; }; +// +// If you are running a server (for example one of the Internet root +// nameservers) that is providing RFC 5011 trust anchor updates, then you +// may be interested in logging trust anchor telemetry reports that your +// server receives to analyze anchor propagation rates during a key rollover. +// If this would be useful then firstly, configure the new channel, and then +// un-comment and the line below to direct the category there instead of to +// syslog and default log: +// +// + category trust-anchor-telemetry { default_syslog; default_debug; default_log; }; +// +// If you have the category ‘queries’ defined, and you don’t want query logging +// by default, make sure you add option ‘querylog no;’ - then you can toggle +// query logging on (and off again) using command ‘rndc querylog’ +// + category queries { queries_log; }; +// +// This logging category will only emit messages at debug levels of 1 or +// higher - it can be useful to troubleshoot problems where queries are +// resulting in a SERVFAIL response. +// + category query-errors {query-errors_log; }; +}; |