# Copyright 2004-2009 SPARTA, Inc. All rights reserved. # See the COPYING file included with the DNSSEC-Tools package for details. DNSSEC-Tools Is your domain secure? This directory contains configuration files and scripts for logwatch to manage log files for BIND security function. First, you need to obtain and install logwatch. Logwatch is available from http://www2.logwatch.org:81/tabs/download. The current version as of this writing is 6.0.2 (Apr 25, 2005). When logwatch is installed, you need to install the files in this tree. Assumptions: -- Log files for BIND are located in /var/log and are called dnssec and resolver. The location and name of these files are configured in your BIND config file, often called named.conf. See below for a few tips on configuring BIND to log security messages. -- logwatch is installed in $LOGWATCH_DIR (by default this would be /etc/log.d). You may edit the logwatch config files and scripts to change these names if you have used something else. Copy the files in ./conf/logfiles, ./conf/services, ./scripts/shared, and ./scripts/services into the same directory structure in $LOGWATCH_DIR. For example, cp ./conf/logfiles/* /etc/log.d/conf/logfiles/. cp ./conf/services/* /etc/log.d/conf/services/. cp ./scripts/services/* /etc/log.d/scripts/services/. cp ./scripts/shared/* /etc/log.d/scripts/shared/. This is all that is necessary to get logwatch to monitor your BIND security logfiles. Now run logwatch and see the DNSSEC and RESOLVER sections for output. Configuring BIND for security logging ------------------------------------- In your named.conf (or whatever you have named your BIND config file), you need to have a logging section. It will look something like this: logging { channel resolver { file "/var/log/resolver" versions 10 size 300k; print-time yes; print-category no; print-severity yes; severity debug 3; }; channel dnssec { file "/var/log/dnssec" versions 10 size 300k; print-time yes; print-category no; print-severity yes; severity debug 9; }; category dnssec { dnssec; }; category resolver { resolver; }; }; This allows you to send log messages to separate log files. This configuration fits the logwatch config files provided here. The "channel" is a name of your own choosing. The file name can be whatever you want, but if you use something other than /var/log/{dnssec,resolver} you will need to modify dnssec.conf and/or resolver.conf in the conf/logfiles directory to match the file name. "Categories" as used in named.conf are defined as follows for BIND 9.x: -- dnssec: processing of DNSSEC-signed responses -- resolver: Name resolution, including the processing of recursive queries from resolvers For more detail on this topic, a good reference is the O'Reilly book "DNS and BIND" by Albitz & Liu.