<div dir="ltr">Hi all,<div><br></div><div>I'm experimenting with RPZ on a reasonably high volume resolver. I've got the following response-policy block defined:</div><div><br></div><div><div>response-policy {</div><div> zone "local-whitelist.rpz" policy PASSTHRU;<br></div><div> zone "local-blacklist.rpz" policy CNAME <a href="http://rpz-target.bris.ac.uk">rpz-target.bris.ac.uk</a>.;</div><div>};</div></div><div><br></div><div>This is working fine. Domains listed in the local-whitelist.rpz zone continue to resolve, and domains listed in the local-blacklist.rpz zone are CNAMEd to <a href="http://rpz-target.bris.ac.uk">rpz-target.bris.ac.uk</a> as expected.</div><div><br></div><div>I'd like to be able to log hits to the blacklist (so that we can analyse the logs to identify clients that might need remedial action) so I enabled the following logging config:</div><div><br></div><div><div>channel rpz_log {</div><div> file "/var/log/named/rpz.log" versions 10 size 20m;</div><div><span style="white-space:pre"> </span>severity info;</div><div><span style="white-space:pre"> </span>print-time yes;</div><div><span style="white-space:pre"> </span>print-category yes;</div><div><span style="white-space:pre"> </span>print-severity yes;</div><div>};</div></div><div>category rpz<span style="white-space:pre"> </span>{ rpz_log; };<br></div><div><br></div><div>However, that's a little over-chatty for my liking as it's logging every hit to the whitelist, and on a busy resolver with lots of clients resolving our local domain - the log volume is just too excessive!</div><div><br></div><div>As far as I can tell PASSTHRU is logged at the same severity level as other policy types, but my bind logging fu is weak as I don't have to change the logging config very often!</div><div><br></div><div>If I want to cut down the log volume to just the events I'm interested in, is it possible to get bind to *not* log PASSTHRU hits?</div><div><br></div><div>Or is the only option for me to log RPZ hits via syslog and then get rsyslog to drop the messages I'm not interested in?</div><div><br></div><div>cheers!</div><div><br></div><div>-Paul</div><div>-- <br><div class="gmail_signature"><div dir="ltr"><div><div dir="ltr"><div>----------------------------------------------------------------------</div><div>Paul Seward, Senior Systems Administrator, University of Bristol</div><div><a href="mailto:Paul.Seward@bristol.ac.uk" target="_blank">Paul.Seward@bristol.ac.uk</a> +44 (0)117 39 41148 GPG Key ID: E24DA8A2</div><div>GPG Fingerprint: 7210 4E4A B5FC 7D9C 39F8 5C3C 6759 3937 E24D A8A2</div></div></div></div></div>
</div></div>