Discarding unwanted messages in syslog-ng

There are some messages that you do not want to see in the logs file. In this case I had the following:

Feb 3 11:41:05 bnmdns1 nrpe[19270]: Error: Could not complete SSL handshake. 1
Feb 3 11:41:05 bnmdns1 nrpe[19272]: Error: Could not complete SSL handshake. 1
Feb 3 11:41:13 bnmdns1 nrpe[19278]: Error: Could not complete SSL handshake. 1
Feb 3 11:41:13 bnmdns1 nrpe[19280]: Error: Could not complete SSL handshake. 1
Feb 3 11:41:15 bnmdns1 nrpe[19286]: Error: Could not complete SSL handshake. 1

To get rid of those unwanted messages add the following to /etc/syslog-ng/syslog-ng.conf file:

filter f_nrpe {match ("Error: Could not complete SSL handshake. 1");};
destination d_nrpe { file("/var/log/nrpe.log");};
log { source(src); filter (f_nrpe); destination(d_nrpe);};

In the above example the filter and destination have nrpe names, as they should. The match statement is not taking into account the facility or severity. Be sure the name chosen doesn’t exist as another filter or destination already specified in this file. If we were to test this, at this point we would have a /var/log/messages file with “Error: Could not complete SSL handshake. 1” line as well as a /var/log/nrpe.log with the same “Error: Could not complete SSL handshake. 1” messages. We now need to exclude these messages from being logged to /var/log/messages.

In the syslog-ng.conf file there is a line that starts with “filter f_message”. We need to exclude our filter from being logged here. If the default line looks like the following:

filter f_messages { not facility(news, mail) and not filter(f_iptables); };

Change it to the following:

filter f_messages { not facility(news, mail) and not filter(f_iptables) and not filter(f_nrpe); };

The modified “f_messages” filter will now exclude anything defined in the “f_nrpe” filter. Messages with “Error: Could not complete SSL handshake. 1” in them should only be found in the defined log file as specified under “d_nrpe”.

Now, restart syslog-ng and test this by using logger command:

logger "Error: Could not complete SSL handshake. 1"

The unwanted nrpe logs should be stored in /var/log/nrpe.log

Character Names

Character Name Character

Accent `
Ampersand &
Angle Brackets < >
Apostrophe ’
Asterisk *
At Symbol @
Backslash
Braces [ ]
Brackets { }
Circumflex ^
Colon :
Comma ,
Dollar Sign $
Equal Sign =
Exclamation Point !
Hyphen –
Number Sign #
Parentheses ( )
Percent Symbol %
Period .
Pipe |
Plus Sign +
Question Mark ?
Quotation Mark “
Semicolon :
Forward Slash /
Tilde ~
Underscore _
Uppercase Letters A-Z
Lowercase Letters a-z
Numerals 0-9

Enable or disable query logging in Bind.

To enable query logging use:

root# rndc querylog on

To disable query logging use:

root# rndc querylog off

Query logging can also be enabled by explicitly directing the queries category to a channel in the logging section of named.conf or by specifying “querylog yes;” in the options section of “named.conf”.
By default query logging will go to /var/log/messages to avoid this situation, create the logging channels:

logging {
channel default_file {
file "/var/log/named.log" size 100m;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
channel queries_file {
file "/var/log/queries.log" size 100m;
severity dynamic;
print-time yes;
print-severity yes;
print-category yes;
};
category queries { queries_file; };
category default { default_file; };
};

Enable query type PTR for a local addresses IP in Bind forwarding DNS server.

Bind creates the “empty zones” by default. So, that is why the reverse DNS (the query type PTR) lookup does not work for a local addresses IP.
Define “empty-zones-enable no;” in named.conf this will work as you expect.

Also you can created reverse map zone for your local machines, for example:

zone "16.172.in-addr.arpa" IN {

type forward;
forwarders {172.16.53.50; 172.16.53.51; 172.16.53.52;};
forward only;
};

Limiting the Memory a Name Server Uses.

To limit the amount of memory a name server uses, use the max-cache-size options statement:

root# cat /etc/named.conf
options {
directory "/var/named";
max-cache-size 10m; // maximum cache size of 10MB
};

root#

This tells the name server to remove old, cached records early (i.e., before they’re stale) if the size of the cache reaches the limit.
Once this is set, you may also want to reduce the cleaning interval (the period at which the name server checks for stale records):

root# cat /etc/named.conf
options {
directory "/var/named";
max-cache-size 10m; // maximum cache size of 10MB
cleaning-interval 10; // clean cache every 10 minutes
};

root#

Also the following can be used the max-cache-ttl and max-ncache-ttl. These limit the time-to-live values of cached records and cached negative responses, respectively.

root# cat /etc/named.conf
options {
directory "/var/named";
max-cache-size 10m; // maximum cache size of 10MB
cleaning-interval 10; // clean cache every 10 minutes
max-cache-ttl 60; // limit cached record to a 60s TTL
max-ncache-ttl 60; // limit cache negative responses to a 60s TTL
};

root#

To disable caching, see this: Bind – disable caching

Bind – Disabling Caching

To disable caching on a name server, use the recursion options statement:

root# cat /etc/named.comf
--cut
options {
directory "/var/named";
recursion no;
};
--cut
root#

Disabling recursion is one of the most effective ways to limit the amount of memory a name server uses.
Processing a recursive query often requires a name server to query another name server, and the name server then caches the response.
It’s caching that causes a name server’s memory usage to increase over time.
Unfortunately, you can’t disable recursion on just any old name server.
Many name servers serve one or more authorized resolvers, and those resolvers need their recursive queries answered, well, recursively.
Name servers used as forwarders must process recursive queries, too.