RPZ PASSTHRU logging

classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

RPZ PASSTHRU logging

Paul Seward
Hi all,

I'm experimenting with RPZ on a reasonably high volume resolver.  I've got the following response-policy block defined:

response-policy {
    zone "local-whitelist.rpz" policy PASSTHRU;
    zone "local-blacklist.rpz" policy CNAME rpz-target.bris.ac.uk.;
};

This is working fine.  Domains listed in the local-whitelist.rpz zone continue to resolve, and domains listed in the local-blacklist.rpz zone are CNAMEd to rpz-target.bris.ac.uk as expected.

I'd like to be able to log hits to the blacklist (so that we can analyse the logs to identify clients that might need remedial action) so I enabled the following logging config:

channel rpz_log {
  file "/var/log/named/rpz.log" versions 10 size 20m;
  severity info;
  print-time yes;
  print-category yes;
  print-severity yes;
};
category rpz { rpz_log; };

However, that's a little over-chatty for my liking as it's logging every hit to the whitelist, and on a busy resolver with lots of clients resolving our local domain - the log volume is just too excessive!

As far as I can tell PASSTHRU is logged at the same severity level as other policy types, but my bind logging fu is weak as I don't have to change the logging config very often!

If I want to cut down the log volume to just the events I'm interested in, is it possible to get bind to *not* log PASSTHRU hits?

Or is the only option for me to log RPZ hits via syslog and then get rsyslog to drop the messages I'm not interested in?

cheers!

-Paul
--
----------------------------------------------------------------------
Paul Seward,    Senior Systems Administrator,    University of Bristol
[hidden email]  +44 (0)117 39 41148    GPG Key ID: E24DA8A2
GPG Fingerprint:    7210 4E4A B5FC 7D9C 39F8  5C3C 6759 3937 E24D A8A2

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
[hidden email]
https://lists.isc.org/mailman/listinfo/bind-users