Splunk® Supported Add-ons

Splunk Add-on for ISC BIND

Acrobat logo Download manual as PDF


Acrobat logo Download topic as PDF

Configure monitor inputs for the Splunk Add-on for ISC BIND

For each ISC BIND log file that you want to monitor, configure a file monitoring input on the forwarder or Splunk platform instance installed directly on your ISC BIND server.

On a universal forwarder, configure local/inputs.conf directly. If you use a heavy forwarder, you have access to Splunk Web to create monitor inputs, or you can configure local/inputs.conf. Follow the directions below that match your use case.

Configure inputs in local/inputs.conf

  1. Using a text editor, create a file named inputs.conf in the $SPLUNK_HOME/etc/apps/Splunk_TA_isc-bind/local folder.
  2. Add the following stanzas and lines, and save the file:
    [monitor:///var/log/named/queries.log]
    sourcetype = isc:bind:query
    disabled = 0
    
    [monitor:///var/log/named/query-errors.log]
    sourcetype = isc:bind:queryerror
    disabled = 0
    
    [monitor:///var/log/named/network.log]
    sourcetype = isc:bind:network
    disabled = 0
    
    [monitor:///var/log/named/notify.log]
    sourcetype = isc:bind:transfer
    disabled = 0
    
    [monitor:///var/log/lame-servers.log]
    sourcetype = isc:bind:lameserver
    disabled = 0
    
  3. Restart the forwarder.
  4. Verify that data is being ingested into the Splunk platform by using the following search command and verifying that one or more events is returned.

    sourcetype=isc:bind:*


Configure inputs through Splunk Web

This option is only available if your data collection node has Splunk Web enabled.

  1. Log into Splunk Web on your data collection node.
  2. Select Settings > Data inputs > Files & directories.
  3. Click New.
  4. Click Browse next to the File or Directory field.
  5. Navigate to one of the log files that was generated by the ISC BIND server (listed in the table), and click Next.
  6. Next to Sourcetype, click Manual to enter a source type manually.
  7. In the Sourcetype field, type the source type that corresponds to the log file from the table.
  8. Click Review.
  9. After you review the information, click Submit.
  10. Complete the steps for each log file listed in the table to create an input to monitor each log file. Use the source type that corresponds to each log file.
    Filename source type
    /var/log/named/queries.log isc:bind:query
    /var/log/named/query-errors.log isc:bind:queryerror
    /var/log/named/lame-servers.log isc:bind:lameserver
    /var/log/named/network.log isc:bind:network
    /var/log/named/notify.log isc:bind:transfer
  11. After you configure monitoring, verify that data is being ingested into the Splunk platform by using the following search command and verifying that one or more events is returned.

    sourcetype=isc:bind:*

Last modified on 21 July, 2021
PREVIOUS
Configure ISC BIND server logs
  NEXT
Troubleshoot the Splunk Add-on for ISC BIND

This documentation applies to the following versions of Splunk® Supported Add-ons: released


Was this documentation topic helpful?


You must be logged into splunk.com in order to post comments. Log in now.

Please try to keep this discussion focused on the content covered in this documentation topic. If you have a more general question about Splunk functionality or are experiencing a difficulty with Splunk, consider posting a question to Splunkbase Answers.

0 out of 1000 Characters