Hi Folks,
I just wonder if I am missing something ;-)
I am currently running a POC for RPC Logging into Elasticsearch and just wonder
why I can’t see any "rpz QNAME NODATA” in Elasticsearch?
I am running BIND 9.20.12 as recursive resolvers -> dnstap -> DNS-collector ->
Elasticsearch
BIND:
dnstap { all; };
// dnstap { auth; resolver query; resolver response; };
/* where to capture to: file or unix (socket) */
// dnstap-output file "/tmp/named.tap";
dnstap-output unix "/run/named/dnstap.sock";
dnstap-identity “rr1.xyz.net”;
channel rpz_file {
file "/var/log/named/rpz.log" versions 10 size 10m;
severity dynamic;
print-time yes;
print-category yes;
print-severity yes;
};
I am seeing a lot of "rpz QNAME NODATA rewrite” messages in
/var/log/named/rpz.log and would like to export them via dnstap instead of
local log files and them shipping them to elastic search via a log shipper.
DNSCollector:
pipelines:
- name: "input-bind-dnstap"
# Read DNSTap stream from a UNIX socket
dnstap:
sock-path: /run/named/dnstap.sock
sock-rcvbuf: 0
routing-policy:
# Routes DNS messages from the Unix socket to Elasticsearch
forward: [output-elastic]
dropped: [output-error-log]
- name: "output-elastic"
elasticsearch:
server: "https://k8s-eck.xyz.net:30200";
index: "logs-network_traffic.dnscollector-default"
bulk-size: 1048576 # 1MB
bulk-channel-size: 10
# bulk-size refers to the size of the batch of DNS messages sent to your
Elasticsearch instance
# bulk-channel-size defines the number of batches the DNS collector can hold in
memory before dropping them
flush-interval: 10 # in seconds
# Interval in seconds before to flush the buffer. Set the maximum time interval
before the buffer is flushed.
# If the bulk batches reach this interval before reaching the maximum size,
they will be sent to Elasticsearch.
compression: none
chan-buffer-size: 0
basic-auth-enable: true
basic-auth-login: “aaa"
basic-auth-pwd: “bbb"
Elasticsearch:
In Elasticsearch I can see all kind of Resource Record types besides NODATA
which is what I am looking for ;-)
So I just wonder if BIND is not exporting NODATA if it’s a result of RPZ or I
am missing something else?
—
Thank you,
Wolfgang
______________________________________________________________________________________________
Wolfgang Riedel | Distinguished Engineer | CCIE #13804 | VCP #42559
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from
this list.
