Configure monitor inputs for the Splunk Add-on for ISC BIND
For each ISC BIND log file that you want to monitor, configure a file monitoring input on the forwarder or Splunk platform instance installed directly on your ISC BIND server.
On a universal forwarder, configure local/inputs.conf
directly. If you use a heavy forwarder, you have access to Splunk Web to create monitor inputs, or you can configure local/inputs.conf
. Follow the directions below that match your use case.
Configure inputs in local/inputs.conf
- Using a text editor, create a file named
inputs.conf
in the$SPLUNK_HOME/etc/apps/Splunk_TA_isc-bind/local
folder. - Add the following stanzas and lines, and save the file:
[monitor:///var/log/named/queries.log] sourcetype = isc:bind:query disabled = 0 [monitor:///var/log/named/query-errors.log] sourcetype = isc:bind:queryerror disabled = 0 [monitor:///var/log/named/network.log] sourcetype = isc:bind:network disabled = 0 [monitor:///var/log/named/notify.log] sourcetype = isc:bind:transfer disabled = 0 [monitor:///var/log/lame-servers.log] sourcetype = isc:bind:lameserver disabled = 0
- Restart the forwarder.
- Verify that data is being ingested into the Splunk platform by using the following search command and verifying that one or more events is returned.
sourcetype=isc:bind:*
Configure inputs through Splunk Web
This option is only available if your data collection node has Splunk Web enabled.
- Log into Splunk Web on your data collection node.
- Select Settings > Data inputs > Files & directories.
- Click New.
- Click Browse next to the File or Directory field.
- Navigate to one of the log files that was generated by the ISC BIND server (listed in the table), and click Next.
- Next to Sourcetype, click Manual to enter a source type manually.
- In the Sourcetype field, type the source type that corresponds to the log file from the table.
- Click Review.
- After you review the information, click Submit.
- Complete the steps for each log file listed in the table to create an input to monitor each log file. Use the source type that corresponds to each log file.
Filename source type /var/log/named/queries.log isc:bind:query /var/log/named/query-errors.log isc:bind:queryerror /var/log/named/lame-servers.log isc:bind:lameserver /var/log/named/network.log isc:bind:network /var/log/named/notify.log isc:bind:transfer - After you configure monitoring, verify that data is being ingested into the Splunk platform by using the following search command and verifying that one or more events is returned.
sourcetype=isc:bind:*
Configure ISC BIND server logs | Troubleshoot the Splunk Add-on for ISC BIND |
This documentation applies to the following versions of Splunk® Supported Add-ons: released
Feedback submitted, thanks!