Syslog with BIND on CentOS

Anand Buddhdev anandb at ripe.net
Thu May 20 22:17:11 UTC 2021


On 20/05/2021 23:34, John Thurston wrote:

Hi John,

> My subsequent read of the docs indicates that BIND on CentOS 7, while
> being told it is sending to 'syslogd', is sending to 'journald' which is
> handling all the messages and forwarding them on to 'syslogd'. I don't
> want journald handling my thousands of messages per second from BIND. I
> don't want that information in my journal logs. I just want it out in
> the central syslog server.

On CentOS, journald listens on the syslog socket, and intercepts ALL log
messages, and logs them into files that are either in a memory-based
tmpfs (the default), or to disk (if you configure journald that way).
After intercepting the log message, and saving it to the journal,
journald then forwards the message to rsyslog, which listens on a
different socket.

> Is there some direct way to get the logging channel of BIND pointed
> directly into the local syslogd? (which would then apply its forwarding
> rules to get traffic to the central syslog server)

As far as I know, BIND just calls the syslog functions, and so the log
messages will go to whatever is listening on the default syslog socket
(journald on CentOS). I don't think there's any way to point BIND to
rsyslog's socket.

> I thought about trying to rip jourald out entirely, and quickly decided
> that was a path to madness.

That is indeed the path to madness. On systemd-based servers, you can't
really do without journald.

> The only thing I can come up with is to activate dnstap, and have some
> other process absorbing the data and spewing it directly to the central
> syslogd.

You could also log directly to files (bypassing syslog), and then have
some process follow the files and send the logs to a remote server.

Regards,
Anand


More information about the bind-users mailing list