Discussion:
how to log to a remote logging server (syslog-ng) from a chroot'ed BIND9?
(too old to reply)
OpenMacNews
2004-07-26 07:28:15 UTC
Permalink
hi all,

i've BIND9 installed in a chroot jail on MacOSX 10.3.4.

'til now, i've been logging to files in the (chroot)/var/log dir.

i've set up a central/remote logging server (syslog-ng), and would like to capture/send the chroot'ed BIND9's logs to the remote server ...

in considering this scenario, tho, i've managed to cget a bit condused .... so, a couple of questions:

(1) the logging statement in named.conf clearly has the option to capture to a "syslog daemon" channel ...
but how do i capture to a NON-syslog (i.e., in this case, 'syslog-ng's daemon) daemon?

(2) do i need to capture first to a local syslog-ng daemon instance, then send/x-fer to a remote, or can BIND9 be set up to speak 'directly' to the remote server?

(3) am i completely defeating the security of the chroot jail by sending logs _outside_?

any pointers, suggestions, etc -- or better yet a relevant howto URL -- would be very much appreciated!

thx,

richard
Willem Kossen
2004-07-26 08:17:54 UTC
Permalink
----- Original Message -----
Sent: Monday, 26 July, 2004 9:28 AM
Subject: how to log to a remote logging server (syslog-ng) from a chroot'ed
BIND9?
hi all,
i've BIND9 installed in a chroot jail on MacOSX 10.3.4.
'til now, i've been logging to files in the (chroot)/var/log dir.
i've set up a central/remote logging server (syslog-ng), and would like to
capture/send the >chroot'ed BIND9's logs to the remote server ...
in considering this scenario, tho, i've managed to cget a bit condused ....
(1) the logging statement in named.conf clearly has the option to
capture to a "syslog daemon" >channel ...
but how do i capture to a NON-syslog (i.e., in this case, 'syslog-ng's
daemon) daemon?
(2) do i need to capture first to a local syslog-ng daemon instance,
then send/x-fer to a remote, >or can BIND9 be set up to speak 'directly' to
the remote server?
(3) am i completely defeating the security of the chroot jail by sending
logs _outside_?
any pointers, suggestions, etc -- or better yet a relevant howto URL --
would be very much >appreciated!
thx,
richard
it is quite simple to have logging go to another server using standard
syslog:
in your /etc/syslog.conf add a line like
*.* @xxx.xxx.xxx.xxx
where xxx.xxx.xxx.xxx is the ipaddress of the remote logging server. this
will send ALL logging accepted by syslog to the remote server
of course you can experiment with selections like *.warn *.error etc. see
man syslog.conf

good luck

Willem Kossen
Jens Grigel
2004-07-26 12:31:14 UTC
Permalink
Post by OpenMacNews
hi all,
i've BIND9 installed in a chroot jail on MacOSX 10.3.4.
'til now, i've been logging to files in the (chroot)/var/log dir.
i've set up a central/remote logging server (syslog-ng), and would like to capture/send the chroot'ed BIND9's logs to the remote server ...
(1) the logging statement in named.conf clearly has the option to capture to a "syslog daemon" channel ...
but how do i capture to a NON-syslog (i.e., in this case, 'syslog-ng's daemon) daemon?
(2) do i need to capture first to a local syslog-ng daemon instance, then send/x-fer to a remote, or can BIND9 be set up to speak 'directly' to the remote server?
You can not log to a remote syslog server directly from bind.

The bind logging channel syslog will always talk to a local daemon via
the /dev/log socket (at least on Linux, I suppose OSX will not behave
very different).
In a chrooted environment you have to create an additional socket in the
jail when starting syslogd, as bind cannot access the systems default
socket /dev/log from it's jail.

If you're running a local syslog daemon append the option:
-a /bindjail/dev/log
to the syslogd start options to create the socket.

If you're running a local syslog-ng daemon add:
source bindlog { unix-stream("/bindjail/dev/log"); };
to the syslog-ng configuration.
The local syslog/syslog-ng daemon can then forward the messages to the
remote central syslog-ng server.
Post by OpenMacNews
(3) am i completely defeating the security of the chroot jail by sending logs _outside_?
any pointers, suggestions, etc -- or better yet a relevant howto URL -- would be very much appreciated!
for bind chroot howto check out:
http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO.html

for syslog-ng faq check out:
http://www.campin.net/syslog-ng/faq.html#chroot

Hope that helps,
Jens
OpenMacNews
2004-07-26 17:31:33 UTC
Permalink
Jens,
Post by Jens Grigel
You can not log to a remote syslog server directly from bind.
The bind logging channel syslog will always talk to a local daemon via
the /dev/log socket (at least on Linux, I suppose OSX will not behave
very different).
In a chrooted environment you have to create an additional socket in the
jail when starting syslogd, as bind cannot access the systems default
socket /dev/log from it's jail.
-a /bindjail/dev/log
to the syslogd start options to create the socket.
source bindlog { unix-stream("/bindjail/dev/log"); };
to the syslog-ng configuration.
The local syslog/syslog-ng daemon can then forward the messages to the
remote central syslog-ng server.
Post by OpenMacNews
(3) am i completely defeating the security of the chroot jail by sending logs _outside_?
any pointers, suggestions, etc -- or better yet a relevant howto URL -- would be very much appreciated!
http://www.tldp.org/HOWTO/Chroot-BIND-HOWTO.html
http://www.campin.net/syslog-ng/faq.html#chroot
Hope that helps,
Jens
perfect! yes, it does.

simple enuf ...

cheers,

richard

Loading...