Red Hat SummitChapter 10. Customizing BIND logging
As Identity Management (IdM) administrator, you can improve visibility and maintain security by customizing where BIND writes its logs and ensuring SELinux allows access to those custom paths.
10.1. Customizing the BIND log path
You can customize the path to your BIND logs by using the ipa-logging-ext.conf file.
Procedure
Open the
ipa-logging-ext.conffile in the/etc/named/directory and add or modify a logging channel with your file path:Copy to Clipboard Copied! Toggle word wrap Toggle overflow logging { channel ipa_custom_log { file "/var/log/named/ipa_dns_queries.log" versions 3 size 10m; severity info; print-time yes; print-severity yes; print-category yes; }; category queries { ipa_custom_log; }; category update { ipa_custom_log; }; category update-security { ipa_custom_log; }; };logging { channel ipa_custom_log { file "/var/log/named/ipa_dns_queries.log" versions 3 size 10m; severity info; print-time yes; print-severity yes; print-category yes; }; category queries { ipa_custom_log; }; category update { ipa_custom_log; }; category update-security { ipa_custom_log; }; };Restart the BIND server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl restart named
# systemctl restart named
10.2. Extending SELinux policy for BIND custom logging
You can extend the SELinux policy to include the BIND logs.
Procedure
Create a log directory:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow mkdir -p /var/log/named chown named:named /var/log/named chmod 750 /var/log/named
# mkdir -p /var/log/named # chown named:named /var/log/named # chmod 750 /var/log/namedAssign the
named_log_tSELinux context to the new directory and the log file:Copy to Clipboard Copied! Toggle word wrap Toggle overflow semanage fcontext -a -t named_log_t "/var/log/named(/.)?"* restorecon -Rv /var/log/named
# semanage fcontext -a -t named_log_t "/var/log/named(/.)?"* # restorecon -Rv /var/log/namedRestart the BIND server:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow systemctl restart named
# systemctl restart named
Verification
Display your custom log file:
Copy to Clipboard Copied! Toggle word wrap Toggle overflow tail -f /var/log/named/ipa_dns_queries.log
$ tail -f /var/log/named/ipa_dns_queries.log
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}