自動目錄
此例是把named的log放到logserver。
OS
CentOS Linux release 7.4.1708 (Core) &&
Rocky Linux release 9.3 (Blue Onyx)
修改named.conf
named.conf 在options{} 後加上以下 設定[1]
.. <部分省略>
channel lamer-log {
file "data/lamer-log" versions 3 size 100m;
severity info;
print-severity yes;
print-time yes;
print-category yes;
};
channel query-log {
file "data/query-log" versions 20 size 100m;
severity info;
print-severity yes;
print-time yes;
print-category yes;
};
...
category lame-servers { lamer-log; };
category queries { query-log;};
};
file "data/lamer-log" versions 3 size 100m;
此範例log檔會存在 /var/named/data/ 的目錄下,檔名會是 lamer-log、 lamer-log.0、 lamer-log.1 共存 3份,每份最大100mb循環寫入
重啟named
# service named restart
修改 rsyslog.conf
修改rsyslog.conf [3]
加入模組 imfile
CentOS Linux release 7.4.1708 (Core)
Rocky Linux release 9.3 (Blue Onyx)
新增檔案 /etc/rsyslog.d/named.conf
input(type="imfile" File="/var/named/data/lamer-log" Tag="ddnss-lamerlog" Facility="local3" Ruleset="nreporter")
ruleset(name="nreporter"){ action(type="omfwd" Target="192.168.53.147" Port="514" Protocol="udp") }
重啟 rsyslog
# service rsyslog restart
如此就能把LOGS 送到遠端的機器192.168.53.147中。
我是這樣想的,結果LOG SERVER一直沒有收到資料,原來是SELINUX的問題…
SELINUX
Selinux 如果不關掉的話,在啟動rsyslog時就會出錯[4]
python: SELinux is preventing in:imfile from read access on the file query-log.#012#012***** Plugin catchall (100. confidence) suggests **************************#012#012If you believe that in:imfile should be allowed read access on the query-log file by default.#012Then you should report this as a bug.#012You can generate a local policy module to allow this access.#012Do#012allow this access for now by executing:#012# ausearch -c 'in:imfile' --raw | audit2allow -M my-inimfile#012# semodule -i my-inimfile.pp#012
audit中的錯誤
type=AVC msg=audit(1710820132.783:14087335): avc: denied { getattr } for pid=22562 comm="in:imfile" path="/var/named/data/query-log" dev="dm-0" ino=34444606 scontext=system_u:system_r:syslogd_t:s0 tcontext=system_u:object_r:named_cache_t:s0 tclass=file
AVC stands for Access Vector Cache. [2]
依上面的指示下指令
查看
# audit2allow -a
#!!!! This avc is allowed in the current policy
allow syslogd_t named_cache_t:file { getattr ioctl open read };
以上就能正確的將NAMED產生的LOG傳到LOG SERVER了。
參考資料
[1] BIND Queries log to Remote Syslog Server https://www.linuxquestions.org/questions/linux-server-73/bind-queries-log-to-remote-syslog-server-4175669371/
[2] https://wiki.gentoo.org/wiki/SELinux/Tutorials/Where_to_find_SELinux_permission_denial_details
[3] https://www.npartnertech.com/upload/Download/N-Partner_Linux_BIND(DNS)_syslog-TW-004.pdf
