Red Hat SummitChapter 10. Customizing BIND logging
As Identity Management (IdM) administrator, you can improve visibility and maintain security by customizing where BIND writes its logs and ensuring SELinux allows access to those custom paths.
10.1. Customizing the BIND log path
You can customize the path to your BIND logs by using the ipa-logging-ext.conf file.
Procedure
Open the
ipa-logging-ext.conffile in the/etc/named/directory and add or modify a logging channel with your file path:logging { channel ipa_custom_log { file "/var/log/named/ipa_dns_queries.log" versions 3 size 10m; severity info; print-time yes; print-severity yes; print-category yes; }; category queries { ipa_custom_log; }; category update { ipa_custom_log; }; category update-security { ipa_custom_log; }; };Restart the BIND server:
# systemctl restart named
10.2. Extending SELinux policy for BIND custom logging
You can extend the SELinux policy to include the BIND logs.
Procedure
Create a log directory:
# mkdir -p /var/log/named # chown named:named /var/log/named # chmod 750 /var/log/named
Assign the
named_log_tSELinux context to the new directory and the log file:# semanage fcontext -a -t named_log_t "/var/log/named(/.)?"* # restorecon -Rv /var/log/named
Restart the BIND server:
# systemctl restart named
Verification
Display your custom log file:
$ tail -f /var/log/named/ipa_dns_queries.log
