I've been trying to get BIND server query logging working, creating 3 versions, max 100mb each. The system is SUSE SLES 11. I have found numerous how to articles on the web but none of them do anything other than break the DNS server. The machine is a virtualbox guest so I can keep going back to an unmodified snapshot of a working BIND server that doesn't do any query logging.
If I manually add the logging statements into named.conf, named will no longer load. messages shows "isc_stdio_open 'whatever i told it' failed: file not found." chown named.named logfile doesn't help or change the behavior in any way. Do anything with the apparmor profile file directly including just saving it without changing it and apparmor will never load that profile again. It will say there is already a profile.
Restore snapshot -> now back to having made no changes
use the GUI tools to configure logging for the dns server. named will not start bc it still doesn't have rights or cannot find the log file. chown named.named logfile doesn't help. use the gui tools to configure apparmor. This at least doesn't kill the apparmor profile, but doesn't help the situation in any way regardless.
I have tried this on 2 different VM/s, both SLES 11, both are just basic take all the defaults installs and not in production yet.
I have tried several different combinations of using the gui tools and manually modifying the config files. I have tried different locations for the log file such as /var/log/querylog, /var/log/querylogs/querylog, /root/queries. I have tried using touch to create the log file, then chown it to named.named. I've tried using the gui to create the files/directories and then setting permissions.
Does anyone know how to get DNS Query logs, in a rotation of 3 files on a SLES 11 BIND server working? It doesn't seem like it should be anywhere near this much of a hassle.
edit
currently the logging section of named.conf looks like:
logging {
channel log_file { file "/var/log/query_log.log" versions 3 size 100M; } ;
catagory default { log_file; };
};
what gets reported in /var/log/messages is:
the working directory is not writable.
isc_stdio_open '/var/log/named/query_log.log' failed: file not found > configuring logging: file not found exiting (due to fatal error)
so it looks like there is some kind of permissions issue. I have created that directory and put a blank file in it named query_log.log. I made named the owner and granted everyone read, write and execute on /var/log/named and gave everyone read write on /var/log/named/query_log.log
ls -l of /var/log/named
-rwxrwxrwx l named named 0 Apr 26 08:43 query_log.log
ls – of /var/log
//various files and directories
drwxr-xr-x 2 named named 4093 Apr 26 09:26 named
edit 2
to start the bind server I use rcnamed start
If I remove the logging section so that I can get named started, running ps aux | grep named shows that /usr/sbin/named is running as the user named.
Thank you for your help so far. What do I have to do to get this working?
Best Answer
It shouldn't be a hassle -- the syntax is straightforward and well-exercised (thousands and thousands of nameserver admins have use it.) It's theoretically possible but very unlikely you've found a new bug in it. Let's look at the more likely causes.
It never hurts to check your syntax first.. As explained in the BIND Administrator's Reference Manual (aka "ARM", a copy of the ARM appropriate to your BIND version is included with your BIND source or can be found at ISC's web site) 6.2.10, you should first define a channel, e.g.:
then direct the category you are interested in logging (i.e. "queries") to that channel:
You can use the named-checkconf utility that comes with BIND to check the syntax of your config file for errors before you try to restart BIND with it.
If that doesn't work for you, you have a filesystem permission problem of some sort and not a BIND problem specifically; BIND is being prevented somehow from writing to the file you have specified in its appropriate directory. Maybe you are dropping privileges to run as a non-root user and that user doesn't have -x perms to traverse all directories in the path from the filesystem root to the directory you are writing in, or maybe you don't have -w perms to write files in that directory. Or possibly you have another security layer (you mention AppArmor) which is complicating matters further.