设置 bind9 9.7.3 日志记录:无大小限制,无文件交换

tag-icon tag-icon logging bind debian-squeeze
设置 bind9 9.7.3 日志记录:无大小限制,无文件交换

bind 配置为将日志文件大小限制为 2m,并添加最多 3 个版本的日志文件。在测试此 bind 服务器期间,如果文件大小超过 2m,bind 不会停止记录。在测试此 bind 服务器期间,在重新启动 bind 后,bind 不会添加例如“bind.log.1”、“bind.log.2”等。

有人能帮助我吗?

操作系统/软件:Debian Squeeze 上的 Bind9 9.7.3

命名的.conf:

[...]
include "/etc/bind/named.conf.log";

命名.conf.日志:

logging {
    channel update_debug {
            file "/var/log/bind/update_debug.log" versions 3 size 2m;
            severity debug;
            print-severity  yes;
            print-time      yes;
    };
    channel security_info {
            file "/var/log/bind/security_info.log" versions 3 size 2m;
            severity notice;
            print-severity  yes;
            print-time      yes;
    };
    channel bind_log {
            file "/var/log/bind/bind.log" versions 3 size 2m;
            severity info;
            print-category  yes;
            print-severity  yes;
            print-time      yes;
    };

    category default { bind_log; };
    category lame-servers { null; };
    category update { update_debug; };
    category update-security { update_debug; };
    category security { security_info; };
};

#ls -la /var/log/bind/:

root@ns1:/var/log/bind# ls -la
total 72
drwxrwxr-x 2 root bind  4096 Sep 16 11:52 .
drwxr-xr-x 9 root root  4096 Sep 16 11:45 ..
-rwxrwxr-- 1 root bind 56236 Sep 16 13:56 bind.log
-rwxrwxr-- 1 root bind     0 Sep 16 11:52 lame_info.log
-rwxrwxr-- 1 root bind   105 Sep 16 13:42 security_info.log
-rwxrwxr-- 1 root bind     0 Sep 16 11:52 update_debug.log

答案1

假设如下:

  • Bind9 在 Debian 上运行,并且
  • Bind9 的守护进程在 ' ' 所有者 Unix IDnamed中运行bind
  • DNS 密钥受到组保护bind

我使用以下文件所有权:

chown -R root:bind /etc/bind
chown    root:bind /var/lib/bind
chown -R bind:bind /var/lib/bind/*
chown -R root:bind /var/cache/bind # always filled with bind:bind ownership
chown -R bind:bind /var/log/bind # files are written from bind user

然后我限制文件权限,如下所示:

chmod 2750 /etc/bind
chmod 0640 /etc/bind/*     # keys are protected under bind group
chmod 2750 /etc/bind/keys
chmod 0640 /etc/bind/keys/*
chmod 2770 /var/lib/bind
chmod 0640 /var/lib/bind/*
chmod 0770 /var/lib/bind/dynamic
chmod 2770 /var/log/bind   # give Group Special Bit
chmod 0640 /var/log/bind/*

/var/log 则有所不同,它完全由命名守护进程拥有。

chmod 0750 /var/log/bind
chmod 0640 /var/log/bind/*

然后更新/添加/etc/logrotate.d/bind文件以显示:

 /var/log/bind/*.log
{
  rotate 30
  daily
  dateext
  dateformat _%Y-%m-%d
  missingok
  su bind bind
  create 0640 bind bind
  delaycompress
  compress
  notifempty
  postrotate
    /bin/systemctl reload bind9
  endscript
}

如果您使用的是其他 Linux 发行版(即 RedHat、Arch、Gentoo、CentOS),则请将上面的单词替换bindnamed

相关内容