I have to say I agree with the approach of putting this extra info into a separate file. I appreciate this could cause additional problems (disk utilisation, extra I/O's, log rolling etc.) but I would prefer to keep the query log format as stable as possible. I am still mopping up the last big change when ISC added the FQDN reference at the start of each message and I'm getting a little tired of dealing with customers and their broken regex's when log formats change because they've upgraded BIND.
There are also wider implications - there are products out there that hard code the regex and it can't be modified, so that then requires dealing with vendors, submitting bug reports/enhancement requests, providing evidence, business impact statements, also I have to perform root cause analysis for customers why their SIEM is no longer capturing the logs, which can have serious regulatory implications and consequences (banks etc.), then there's testing every upgrade in the lab before we run in production etc., I have enough work on my plate as it is! :-) Basically there's a whole world of pain out there that can be avoided if you just keep the log format the same. :-) Thanks, Paul -----Original Message----- From: bind-users [mailto:bind-users-boun...@lists.isc.org] On Behalf Of MURTARI, JOHN Sent: 06 February 2017 17:05 To: bind-users@lists.isc.org Subject: RE: Bind Queries log file format [snip] > The additional logging info is specifically for the unusual bugs, > which happen very rarely - asking customers to enable the additional > logs after a rare event (which might not happen again for months / > years) means that ISC cannot hunt down and squash the corner case > bugs... I can understand the above. ISC needs the data to help debug a once-in-a-blue-moon crash. But many busy sites do not have query logging turned on at all (or only run sampling periods) and would not benefit anyway. It would seem this debug info should be moved to a separate log used only for that purpose and always 'on'. But that brings up other issues.... I've been a sys admin for many years. If a utility crashes enough to bother me I'll turn on more detailed logging..... John _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users