I downloaded and installed splunk today. For those sys-admins out there not using it, what are you waiting for…
After installing the software and adding all my DNS logs, I notices some pretty interesting items. The first was my log files are huge! Mostly because of IPv6 queries. Apparently, somewhere down the road, ISC bind started answering IPv6 type requests even if there are no IPv6 interfaces on the box. There is a new (to me) option “-4” that tells DNS to only handle IPv4 addresses. Now this would be pretty easy to add “If I ran any operating system other than Solaris!”. I love solaris, but they make is seriously hard to add a simple start-up option to a service. After MUCH google searching I found the answer:
svccfg -s network/dns/server:default setprop start/exec = “/usr/local/sbin/named -4”
svcadm refresh dns/server
This has significantly reduced the amount of logs that are generated. I also noticed a lot of errors from lame-delegations or invalid zones, so I added the following to my logging section:
category lame-servers {null;};
I am receiving almost no errors in my log files now.
http://logstash.net/ is supposed to be good too.
I haven’t given it a spin yet…