If you can have BIND log directly to a file, couldn't you use a FIFO (prwxrwxrwx) or Unix domain socket (srwxrwxrwx) and avoid the disk I/O by sending the log data directly to the forwarder? (E.g., Pulse Audio listens on a socket for audio data from an application, and sends it in real-time to the D/A hardware driver etc.)
On Fri, 21 May 2021 00:17:11 +0200 Anand Buddhdev <ana...@ripe.net> wrote: > On 20/05/2021 23:34, John Thurston wrote: > > Hi John, > > > My subsequent read of the docs indicates that BIND on CentOS 7, while > > being told it is sending to 'syslogd', is sending to 'journald' which is > > handling all the messages and forwarding them on to 'syslogd'. I don't > > want journald handling my thousands of messages per second from BIND. I > > don't want that information in my journal logs. I just want it out in > > the central syslog server. > > On CentOS, journald listens on the syslog socket, and intercepts ALL log > messages, and logs them into files that are either in a memory-based > tmpfs (the default), or to disk (if you configure journald that way). > After intercepting the log message, and saving it to the journal, > journald then forwards the message to rsyslog, which listens on a > different socket. > > > Is there some direct way to get the logging channel of BIND pointed > > directly into the local syslogd? (which would then apply its forwarding > > rules to get traffic to the central syslog server) > > As far as I know, BIND just calls the syslog functions, and so the log > messages will go to whatever is listening on the default syslog socket > (journald on CentOS). I don't think there's any way to point BIND to > rsyslog's socket. > > > I thought about trying to rip jourald out entirely, and quickly decided > > that was a path to madness. > > That is indeed the path to madness. On systemd-based servers, you can't > really do without journald. > > > The only thing I can come up with is to activate dnstap, and have some > > other process absorbing the data and spewing it directly to the central > > syslogd. > > You could also log directly to files (bypassing syslog), and then have > some process follow the files and send the logs to a remote server. > > Regards, > Anand _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information. bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
