# Copyright 2004-2009 SPARTA, Inc.  All rights reserved.
# See the COPYING file included with the DNSSEC-Tools package for details.


			     DNSSEC-Tools
			Is your domain secure?


This directory contains configuration files and scripts for logwatch
to manage log files for BIND security function.

First, you need to obtain and install logwatch. Logwatch is available from
http://www2.logwatch.org:81/tabs/download.

The current version as of this writing is 6.0.2 (Apr 25, 2005).

When logwatch is installed, you need to install the files in this tree.

Assumptions:

	-- Log files for BIND are located in /var/log and are called dnssec 
	   and resolver.  The location and name of these files are configured
	   in your BIND config file, often called named.conf.  See below for
	   a few tips on configuring BIND to log security messages.

	-- logwatch is installed in $LOGWATCH_DIR (by default this would be
	   /etc/log.d).

You may edit the logwatch config files and scripts to change these names
if you have used something else.

Copy the files in ./conf/logfiles, ./conf/services, ./scripts/shared,
and ./scripts/services into the same directory structure in $LOGWATCH_DIR.
For example, 

	cp ./conf/logfiles/* /etc/log.d/conf/logfiles/.
	cp ./conf/services/* /etc/log.d/conf/services/.
	cp ./scripts/services/* /etc/log.d/scripts/services/.
	cp ./scripts/shared/* /etc/log.d/scripts/shared/.

This is all that is necessary to get logwatch to monitor your BIND security
logfiles.  Now run logwatch and see the DNSSEC and RESOLVER sections for
output.

Configuring BIND for security logging
-------------------------------------

In your named.conf (or whatever you have named your BIND config file), 
you need to have a logging section.  It will look something like this:

	logging {
		channel resolver {
			file "/var/log/resolver" versions 10 size 300k;
			print-time yes;
			print-category no;
			print-severity yes;
			severity debug 3;
		};
		channel dnssec {
			file "/var/log/dnssec" versions 10 size 300k;
			print-time yes;
			print-category no;
			print-severity yes;
			severity debug 9;
		};
		category dnssec { dnssec; };
		category resolver { resolver; };
	};

This allows you to send log messages to separate log files.
This configuration fits the logwatch config files provided here.
The "channel" is a name of your own choosing.  The file
name can be whatever you want, but if you use something other
than /var/log/{dnssec,resolver} you will need to modify
dnssec.conf and/or resolver.conf in the conf/logfiles directory
to match the file name.

"Categories" as used in named.conf are defined as follows for
BIND 9.x: 

	-- dnssec: processing of DNSSEC-signed responses

	-- resolver: Name resolution, including the processing of
	   recursive queries from resolvers

For more detail on this topic, a good reference is the O'Reilly book
"DNS and BIND" by Albitz & Liu.