Syslog with BIND on CentOS
bind at iment.com
Thu May 20 22:55:02 UTC 2021
If you can have BIND log directly to a file, couldn't you use a FIFO (prwxrwxrwx) or Unix domain socket (srwxrwxrwx) and avoid the disk I/O by sending the log data directly to the forwarder? (E.g., Pulse Audio listens on a socket for audio data from an application, and sends it in real-time to the D/A hardware driver etc.)
On Fri, 21 May 2021 00:17:11 +0200
Anand Buddhdev <anandb at ripe.net> wrote:
> On 20/05/2021 23:34, John Thurston wrote:
> Hi John,
> > My subsequent read of the docs indicates that BIND on CentOS 7, while
> > being told it is sending to 'syslogd', is sending to 'journald' which is
> > handling all the messages and forwarding them on to 'syslogd'. I don't
> > want journald handling my thousands of messages per second from BIND. I
> > don't want that information in my journal logs. I just want it out in
> > the central syslog server.
> On CentOS, journald listens on the syslog socket, and intercepts ALL log
> messages, and logs them into files that are either in a memory-based
> tmpfs (the default), or to disk (if you configure journald that way).
> After intercepting the log message, and saving it to the journal,
> journald then forwards the message to rsyslog, which listens on a
> different socket.
> > Is there some direct way to get the logging channel of BIND pointed
> > directly into the local syslogd? (which would then apply its forwarding
> > rules to get traffic to the central syslog server)
> As far as I know, BIND just calls the syslog functions, and so the log
> messages will go to whatever is listening on the default syslog socket
> (journald on CentOS). I don't think there's any way to point BIND to
> rsyslog's socket.
> > I thought about trying to rip jourald out entirely, and quickly decided
> > that was a path to madness.
> That is indeed the path to madness. On systemd-based servers, you can't
> really do without journald.
> > The only thing I can come up with is to activate dnstap, and have some
> > other process absorbing the data and spewing it directly to the central
> > syslogd.
> You could also log directly to files (bypassing syslog), and then have
> some process follow the files and send the logs to a remote server.
More information about the bind-users