RPZ PASSTHRU logging
Paul Seward
Paul.Seward at bristol.ac.uk
Wed Jan 27 09:44:37 UTC 2016
Hi all,
I'm experimenting with RPZ on a reasonably high volume resolver. I've got
the following response-policy block defined:
response-policy {
zone "local-whitelist.rpz" policy PASSTHRU;
zone "local-blacklist.rpz" policy CNAME rpz-target.bris.ac.uk.;
};
This is working fine. Domains listed in the local-whitelist.rpz zone
continue to resolve, and domains listed in the local-blacklist.rpz zone are
CNAMEd to rpz-target.bris.ac.uk as expected.
I'd like to be able to log hits to the blacklist (so that we can analyse
the logs to identify clients that might need remedial action) so I enabled
the following logging config:
channel rpz_log {
file "/var/log/named/rpz.log" versions 10 size 20m;
severity info;
print-time yes;
print-category yes;
print-severity yes;
};
category rpz { rpz_log; };
However, that's a little over-chatty for my liking as it's logging every
hit to the whitelist, and on a busy resolver with lots of clients resolving
our local domain - the log volume is just too excessive!
As far as I can tell PASSTHRU is logged at the same severity level as other
policy types, but my bind logging fu is weak as I don't have to change the
logging config very often!
If I want to cut down the log volume to just the events I'm interested in,
is it possible to get bind to *not* log PASSTHRU hits?
Or is the only option for me to log RPZ hits via syslog and then get
rsyslog to drop the messages I'm not interested in?
cheers!
-Paul
--
----------------------------------------------------------------------
Paul Seward, Senior Systems Administrator, University of Bristol
Paul.Seward at bristol.ac.uk +44 (0)117 39 41148 GPG Key ID: E24DA8A2
GPG Fingerprint: 7210 4E4A B5FC 7D9C 39F8 5C3C 6759 3937 E24D A8A2
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20160127/e938e3ab/attachment.html>
More information about the bind-users
mailing list