Hello everyone.
I'm looking for the best way (if there is !) for ingesting dns queries from bind9 servers. The environment is composed of about 15 "cluster" of dns servers (1 master and 3 slaves per cluster) that are already in production with logging only local. The goal is to centralise the logs to gain global visibility.
I'm testing in lab the solution to use a syslog channel in the bind9 configuration to send to the local (r)syslog daemon of each server and then in the rsyslog config, sending to remote logstash for parsing (using existing grok dns filter) and injecting into elastic.
Bind9 config for this lab :
channel "syslog" {
syslog local6;
print-time yes;
};
category queries {"syslog";};
This is working quite well except that the dns servers are already in production and this change in their config need the bind9 daemon to be restarted which may be impactful in production.
Is there safer/better way to achieve this ? I'm open to every idea that could help.
Thank you !