How To Get bind9 Log Files To Roll Over?

Asked by rapope on 2008-08-26

I have set up a DNS server on Ubuntu Server 8.04.1 in a virtual machine on a Mac running OS X 10.5.4 under VMware Fusion 1.1.3. In my /etc/bin/named.local.conf file I have the following (taken from DNS and BIND, 5th Edition, by Paul Albitz; Cricket Liu. The base of the entry was taken from the Ubuntu online documentation, I just added the "version 3 size 10M" to what I saw in the online doc.

logging {
        channel query.log {
                file "/var/log/query.log" versions 3 size 10M;
                severity debug 3;
        };
        category queries { query.log; };
};

I was expecting the "versions 3 size 10M" statement to limit the file to 10 MB and to create a new file when the limit was reached. The file continues to grow. I have stopped/started bind9. I have also rebooted the VM, but the file continues to grow. [Edit: the file hadn't reached the limit when I thought it did. I blew the conversion by dropping a digit. The end result was that the file hit the limit and didn't roll over.] It isn't that big of a deal, but I would like to know why it isn't working as expected.

Any clues?

Thanks,

Rocky

Question information

Language:
English Edit question
Status:
Solved
For:
Ubuntu bind9 Edit question
Assignee:
No assignee Edit question
Solved by:
Matthew Lambie
Solved:
2008-09-11
Last query:
2008-09-11
Last reply:
2008-09-03
rapope (rapope) said : #1

I suspect that my eyesight may have been giving me problems! I transposed the numbers by eye and very likely missed a digit or two. In any case, I suspect that I haven't reached the limit yet. I will close this question if/when I am certain that I screwed up initially!

Sorry about that ...

Regards,

Rocky

rapope (rapope) said : #2

Hi again,

It would seem that my initial impression was correct. It has been over 75 minutes since the log file was updated. At the time the log file hit the limit, the following message was seen in syslog:

 named[5992]: isc_log_open: roll_log '/var/log/query.log' failed: permission denied

After that entry, there are many duplicate entries of the following:

  [266909.899420] audit(1219735788.697:2): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/log/" pid=5993 profile="/usr/sbin/named" namespace="default"

I noticed that the file had the following permissions set initially:

 -rw-r--r-- 1 bind root 3145803 2008-08-26 03:29 query.log

I have subsequently added +r for the group root, and restarted the bind9 service (was this necessary?). This didn't roll the file over, so I stopped the daemon, renamed the file, and created a new file (owned by user bind and group root, with both set to rw).

 -rw-rw-r-- 1 bind root 6563 2008-08-26 05:08 query.log

I will try again this time, and I set a smaller file limit, so I can determine more quickly if the roll over is working.

I am now wondering if the owner of the log file should be set to bind, as I had set per the Ubuntu documentation?

I am (obviously) new to DNS on GNU/Linux, so I apologize for that.

More to come later...

Thanks,

Rocky

rapope (rapope) said : #3

Yes, I definitely seem to have something wrong here. I also attempted to use only the "versions 3" statement, to see if the log would increment when bind9 was stopped/started (or restarted). As I figured, I received errors in /var/logs/syslog. I received the error(s):

 Aug 26 16:39:48 ubuntuserver kernel: [314205.144845] audit(1219783188.894:2968): type=1503 operation="inode_permission" requested_mask="::r" denied_mask="::r" name="/var/log/" pid=16567 profile="/usr/sbin/named" namespace="default"

What ownership/permissions are needed for this log file to increment when the limit is reached?

I am also wondering if the /etc/apparmor.d/usr.sbin.named file requires modification, as the Ubuntu documentation did not cover the example of rotating the logs used as the example on <https://help.ubuntu.com/8.04/serverguide/C/dns-troubleshooting.html>.

Can anyone please point me in the right direction here?

Thank you,

Rocky

Best Matthew Lambie (mlambie) said : #4

Hi Rocky,

Whilst I don't answer your exact question, I solved the same problem using logrotate. I added an entry to /etc/logrotate.d/query which contained:

/var/log/query.log {
    daily
    rotate 14
    compress
    delaycompress
    missingok
    notifempty
    create 0664 bind root
    postrotate
      /etc/init.d/bind9 reload > /dev/null
    endscript
}

Your requirements might be different, so "man logrotate" for the options. I've documented this in a blog entry: http://lambie.org/2008/09/03/rotating-logs-with-logrotate/

rapope (rapope) said : #5

Hi,

Thanks for the suggestion. I'll see how it turns out. Since I'm just using
this installation for caching (not a primary zone), I stopped logging and
used DNSTOP instead. I'll set up bind using your solution, and take it from
there.

Regards,

Rocky

> From: Matthew Lambie <email address hidden>
> Reply-To: <email address hidden>
> Date: Wed, 03 Sep 2008 05:05:29 -0000
> To: Rocky Pope <email address hidden>
> Subject: Re: [Question #43187]: How To Get bind9 Log Files To Roll Over?
>
> Your question #43187 on bind9 in ubuntu changed:
> https://answers.launchpad.net/ubuntu/+source/bind9/+question/43187
>
> Status: Open => Answered
>
> Matthew Lambie proposed the following answer:
> Hi Rocky,
>
> Whilst I don't answer your exact question, I solved the same problem
> using logrotate. I added an entry to /etc/logrotate.d/query which
> contained:
>
> /var/log/query.log {
> daily
> rotate 14
> compress
> delaycompress
> missingok
> notifempty
> create 0664 bind root
> postrotate
> /etc/init.d/bind9 reload > /dev/null
> endscript
> }
>
> Your requirements might be different, so "man logrotate" for the
> options. I've documented this in a blog entry:
> http://lambie.org/2008/09/03/rotating-logs-with-logrotate/
>
> --
> If this answers your question, please go to the following page to let us
> know that it is solved:
> https://answers.launchpad.net/ubuntu/+source/bind9/+question/43187/+confirm?an
> swer_id=3
>
> If you still need help, you can reply to this email or go to the
> following page to enter your feedback:
> https://answers.launchpad.net/ubuntu/+source/bind9/+question/43187
>
> You received this question notification because you are a direct
> subscriber of the question.
>
>

rapope (rapope) said : #6

Thanks Matthew Lambie, that solved my question.