Debian 配置完logwatch后,测试日志时,发现bing9产生了大量的【 rpz QNAME Local-Data rewrite events】记录。
这是因为安装完bind9,我添加了DNS广告屏蔽的rewrite,所以logwatch 会出现大量的【 rpz QNAME Local-Data rewrite events】日志。
bind9具体日志内容如下:
--------------------- Named Begin ------------------------
**Unmatched Entries**
client @0x7f5348023700 192.168.1.10#49157 (events.gfe.nvidia.com): rpz QNAME Local-Data rewrite events.gfe.nvidia.com/AAAA/IN via events.gfe.nvidia.com.rpz: 1 Time(s)
client @0x7f5348023700 192.168.1.10#49161 (events.gfe.nvidia.com): rpz QNAME Local-Data rewrite events.gfe.nvidia.com/A/IN via events.gfe.nvidia.com.rpz: 1 Time(s)
client @0x7f5348023700 192.168.1.10#49163 (events.gfe.nvidia.com): rpz QNAME Local-Data rewrite events.gfe.nvidia.com/A/IN via events.gfe.nvidia.com.rpz: 2 Time(s)由于这些自己屏蔽广告记录太多,并且意义不大,所以告警时需要过滤掉这些记录, 方法如下:
打开 named.conf 文件
$ sudo vi /usr/share/logwatch/default.conf/services/named.conf在文件末尾,增加忽略关键字【 rpz QNAME Local-Data rewrite 】的操作,如下:
# 忽略掉 下面的日志记录
*Remove = rpz QNAME Local-Data rewrite最后命令行执行下logwatch, 确认是否已经移除掉了这些行:
$ sudo logwatch