Reply
New Member
Posts: 4
Registered: ‎02-06-2014
Kudos: 20
Accepted Solution

Log DNS query to syslog

Hi,

I would like to log DNS queries to a syslog server.  I already have the router loging to the syslog server.  

 

I looked at this post and that says the log goes to /var/log/dnsmasq.log but I really want it to go to a syslog server

https://community.ubnt.com/t5/EdgeMAX/EdgeRouter-PoE-DNS-logging/m-p/1167143#M55236

 

Thanks,

 


Accepted Solutions
Highlighted
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5460
Solutions: 1656
Contributions: 2

Re: Log DNS query to syslog


jbaker31 wrote:
Below is the dnsmasq.conf file but it is autogenerated and will be change when dnsmasq restarts.  I know I need to get the log-facility to change, but to what and how.  The vyatta man page says the default is daemon.  Will that go to syslog?  Also I tried "set service dns forwarding options 'log-facility" but that yielded an error.

Yeah dnsmasq does not allow log-facility to be repeated. You can modify the file "/opt/vyatta/sbin/vyatta-dns-forwarding.pl" on the router, commenting out the line with "log-facility" (add a "#" in front), then re-configure DNS forwarding so the conf file will be regenerated. Then it should by default log to syslog with facility "daemon". Note that you still need the "log-queries" discussed in the other thread, and how syslog is handled (severity, remote server, etc.) is configured using the "system syslog ..." configuration settings.

View solution in original post


All Replies
SuperUser
Posts: 20,370
Registered: ‎09-17-2013
Kudos: 5109
Solutions: 1455

Re: Log DNS query to syslog

Might need to tell dnsmasq to log to syslog (in the dnsmasq config file).

New Member
Posts: 4
Registered: ‎02-06-2014
Kudos: 20

Re: Log DNS query to syslog

Below is the dnsmasq.conf file but it is autogenerated and will be change when dnsmasq restarts.  I know I need to get the log-facility to change, but to what and how.  The vyatta man page says the default is daemon.  Will that go to syslog?  Also I tried "set service dns forwarding options 'log-facility" but that yielded an error.
 
Can anyone help?
 
#
# autogenerated by vyatta-dns-forwarding.pl on Mon Mar 30 21:01:07 EDT 2015
#
log-facility=/var/log/dnsmasq.log
interface=eth0
interface=eth2.17
interface=eth2.20
interface=eth2.25
interface=eth2.30
interface=eth2.40
cache-size=3000
log-queries
log-async=25
~
- dnsmasq.conf [Readonly] 1/13 7%
 
SuperUser
Posts: 20,370
Registered: ‎09-17-2013
Kudos: 5109
Solutions: 1455

Re: Log DNS query to syslog

Try editing vyatta-dns-forwarding.pl
Highlighted
Previous Employee
Posts: 13,551
Registered: ‎06-10-2011
Kudos: 5460
Solutions: 1656
Contributions: 2

Re: Log DNS query to syslog


jbaker31 wrote:
Below is the dnsmasq.conf file but it is autogenerated and will be change when dnsmasq restarts.  I know I need to get the log-facility to change, but to what and how.  The vyatta man page says the default is daemon.  Will that go to syslog?  Also I tried "set service dns forwarding options 'log-facility" but that yielded an error.

Yeah dnsmasq does not allow log-facility to be repeated. You can modify the file "/opt/vyatta/sbin/vyatta-dns-forwarding.pl" on the router, commenting out the line with "log-facility" (add a "#" in front), then re-configure DNS forwarding so the conf file will be regenerated. Then it should by default log to syslog with facility "daemon". Note that you still need the "log-queries" discussed in the other thread, and how syslog is handled (severity, remote server, etc.) is configured using the "system syslog ..." configuration settings.

New Member
Posts: 4
Registered: ‎02-06-2014
Kudos: 20

Re: Log DNS query to syslog

Thanks worked great
Emerging Member
Posts: 118
Registered: ‎01-17-2015
Kudos: 2
Solutions: 2

Re: Log DNS query to syslog

good day any guide on how to regenerat the dns file i would like to do the same thing

 

thanks

 

Regular Member
Posts: 470
Registered: ‎09-03-2015
Kudos: 69
Solutions: 10

Re: Log DNS query to syslog

@UBNT-ancheng In Firmware 1.9 how would i accomplish this? I too want to forward DNS queries to a syslog. Is there a ste by step ?

SuperUser
Posts: 20,370
Registered: ‎09-17-2013
Kudos: 5109
Solutions: 1455

Re: Log DNS query to syslog


snet2 wrote:

@UBNT-ancheng In Firmware 1.9 how would i accomplish this? I too want to forward DNS queries to a syslog. Is there a ste by step ?


An-Cheng is no longer at UBNT Man Sad

Steps should be the same though.

Regular Member
Posts: 470
Registered: ‎09-03-2015
Kudos: 69
Solutions: 10

Re: Log DNS query to syslog

Thank you! Ive done all the steps except "then re-configure DNS forwarding so the conf file will be regenerated." What do they mean by that?

Emerging Member
Posts: 62
Registered: ‎03-11-2016
Kudos: 6

Re: Log DNS query to syslog

[ Edited ]

I dont seem to be able to get my dns log to go to syslog.....

 

I can get it logging to log file, then can see the logs stop going to log file when i comment it out in config

 

sanity check, my config file (x.x.x.x for privacy)

 

#
# autogenerated by vyatta-dns-forwarding.pl on Fri Jul  7 09:14:44 BST 2017
#
# log-facility=/var/log/dnsmasq.log
except-interface=pppoe0
except-interface=eth3
cache-size=10000
ptr-record=x.x.x.x.in-addr.arpa,SecureGateway
host-record=unifi,x.x.x.x
log-queries

 

# show service dns
forwarding {
cache-size 10000
except-interface pppoe0
except-interface eth3
options ptr-record=x.x.x.x.in-addr.arpa,SecureGateway
options host-record=unifi,x.x.x.x
options log-queries
}
[edit]

 

anybody got it working, could they post a sample syslog entry ?


 

New Member
Posts: 2
Registered: ‎08-17-2017
Kudos: 2

Re: Log DNS query to syslog

[ Edited ]

1. Update DNS Options:

configure
set service dns forwarding options 'log-queries'
commit
save

2. Create new file '/etc/rsyslog.d/dnsmasq.conf'

$ModLoad imfile
$InputFileName /var/log/dnsmasq.log
$InputFileTag EdgeDNS
$InputFileStateFile EdgeDNS1
$InputFileSeverity notice
$InputFileFacility local1
$InputFilePersistStateInterval 1000
$InputRunFileMonitor *.* <@SYSLOG_SERVER_HOST_NAME OR @@SERVER_IP_ADDRES

3. restart dnsmasq and rsyslog service 

sudo service dnsmasq restart
sudo service rsyslog restart

 

New Member
Posts: 29
Registered: ‎07-23-2016
Kudos: 1

Re: Log DNS query to syslog

[ Edited ]

Sounds appealing. From folks who have tried this, have you noticed any disadvantages to leaving this dns lookup syslogging on 24x7? Perhaps side effects like slower performance and/or higher CPU? Just trying to determine how likely I am to bump into a memory leak or other long term use surprises. I'm on EdgeRouter Lite v1.9.7+hotfix.4

New Member
Posts: 29
Registered: ‎07-23-2016
Kudos: 1

Re: Log DNS query to syslog

[ Edited ]

I gave it a try, using this similar guide:

https://nmaggioni.xyz/2018/02/17/Logging-DNS-queries-on-your-EdgeRouter/

and it worked, but only for about 30 minutes. Didn't seem to slow any browsing benchmarks I ran, when it was operational, which was very nice.

 

Short of restoring my previous config, now I'm wondering whether there an easy way to back out of this configuration change. I'll try contact the author. I'm also noticing my dns forwarding is now showing 0, despite my having set it to 1000 previously, not sure if that's related, but I'd like to experiment to find out...

 

ubnt@ubnt:~$ show dns forwarding statistics
----------------
Cache statistics
----------------
Cache size: 0
Queries forwarded: 0
Queries answered locally: 0
Total DNS entries inserted into cache: 0
DNS entries removed from cache before expiry: 0

 

New Member
Posts: 4
Registered: ‎09-23-2017

Re: Log DNS query to syslog

[ Edited ]

Hi @c3f23686, I'm the author of that article.

 

If you set up remote logging correctly, it is correct that DNS stats are empty: you can check the logfile at:

 

/var/log/dnsmasq.log

 

If it is empty, you successfully configured dnsmasq to stop logging to a file and instead direct everything to syslog (an empty or missing log-facility option in its config will direct logs to its parent daemon [source, --log-facility option]). DNS stats are generated by /opt/vyatta/bin/sudo-users/vyatta-op-dns-forwarding.pl, which in fact tries to parse the above mentioned log file.

 

My setup is working fine as I'm directing all my syslog messages to a Graylog instance.

What happened after 30 minutes, what and how exactly did "stop working"? Could it be that you are running out of space because something is still logging to file? Check fs usage with:

 

 

df -h

 

I'll also take this chance to remember everyone that this is kind of a dirty hack and will be erased on fw change.

New Member
Posts: 29
Registered: ‎07-23-2016
Kudos: 1

Re: Log DNS query to syslog

Excellent, thank you nmaggioni! A reboot of my router didn't help, syslog still no entries other than the first 1/2 hr or so.

 

I'll hopefully have a chance to work on this later tonight. Meanwhile, i moved over to my second identical EdgeRouter Lite that had the same exact config, but not the dns syslogging.  It's on EdgeRouter ERLite-3/ERPoe-5 Firmware v1.10.1, and I'll record the process of implementing the steps in your article:

https://nmaggioni.xyz/2018/02/17/Logging-DNS-queries-on-your-EdgeRouter/

along with demonstrating vRealize Log Insight 4.6 working great with it, then will monitor it for a while, and report back here...

New Member
Posts: 29
Registered: ‎07-23-2016
Kudos: 1

Re: Log DNS query to syslog

[ Edited ]

 

Well, that didn't go too well. Firmware v1.10.1 with my using dnsmasq for DHCP didn't seem to get along with my Cox Communications Tuning  Adapter, apparently refusing to grant it a lease or something. With family visiting just trying to watch a particular channel, I admittedly didn't do a lot of troubleshooting. I quickly put the previous EdgeRouter (ERLite-3/ERPoe-5 Firmware v1.9.7+hotfix.4) back in place again, and rebooted my DOCIS 3.0 cable modem, and the Tuning Adapter, and family were happy again.

 

Glad to hear that DNS forwarding stats should read zero with my configuration, but does that also mean I can't cache DNS lookups locally, if I also want syslogging of DNS lookups?

  

My new self-install DOCIS 3.1 cable modem just arrived for a speed bump from 300/30 to 1000/1000, so I'll need to focus on getting that going, before I circle back and try syslogging of dns troubleshooting again.

 

It will be interesting to see if my little ERLite-3 holds up to that important duty. Such speeds were something I had in mind when I bought it back in July of 2016, thinking Gigablast was just around the corner, but I'm so glad this day is finally here!

 

 

New Member
Posts: 29
Registered: ‎07-23-2016
Kudos: 1

Re: Log DNS query to syslog

Linux ubnt 3.10.20-UBNT #1 SMP Wed Aug 30 02:48:37 PDT 2017 mips64
Welcome to EdgeOS
ubnt@ubnt:~$ df -h
Filesystem                Size      Used Available Use% Mounted on
/dev/root                 1.6G    185.5M      1.3G  12% /root.dev
unionfs                   1.6G    185.5M      1.3G  12% /
tmpfs                   241.9M    136.0K    241.8M   0% /run
tmpfs                   241.9M    136.0K    241.8M   0% /run
tmpfs                   241.9M    396.0K    241.6M   0% /var/log
tmpfs                   241.9M         0    241.9M   0% /dev/shm
tmpfs                   241.9M         0    241.9M   0% /tmp
none                    241.9M      1.4M    240.6M   1% /opt/vyatta/config
ubnt@ubnt:~$
New Member
Posts: 29
Registered: ‎07-23-2016
Kudos: 1

Re: Log DNS query to syslog

Forgot to share that my /var/log/dnsmasq.log file is zero length:

-rw-r--r-- 1 root root 0 Apr 22 05:02 dnsmasq.log
Regular Member
Posts: 303
Registered: ‎02-12-2013
Kudos: 82
Solutions: 23

Re: Log DNS query to syslog

@c3f23686

Mine looks like this:

-rw-r--r--    1 dnsmasq  root           571 Apr 19 18:40 dnsmasq.log

So I think you have a owner issue. Delete the log file and reboot the router.

Reply