Forum Discussion
NimbostratusDNS query logging
I need to be able to do query DNS logging for my GTM. I have a GTM and LTM. I am looking at the directions for configuring high speed logging and confused on what objects get created on the LTM and GTM. It looks like the profile gets created on the GTM and I modify the listners to use the new profile. The other objects (publisher, remote logging pool, publisher) get created on the LTM. But I dont see what tells the GTM to publish to the LTM.
It would make more sense if the Logging could all be done from the GTM.
is there an irule I can put on the GTM that logs all DNS queries to a remote log server?
10 Replies
Brad_ParkerCirrus
Your DNS profile is what connects connects the DNS logging profile to the listener. The DNS logging profile uses a log publisher which uses a logging destination. All of which actually runs in LTM(tmm) even though it is attached to a DNS listener that is part of GTM. Very little of GTM actually runs in the gtmd process anymore(BIND still does that's why its not recommended to resolve DNS from on box BIND) as it is single threaded where as tmm runs using CMP. I highly recommend sticking with High Speed Logging via the profile, it will preform better than doing it wiht an iRule. Built in features are more highly optomized than iRules.
pedinopa_170325So focusing on the GTM. I modify the listener to use the Logging profile (in which I have to select the pool). The profile gets created on the LTM so how does it become useable to the GTM (does the GTM see whatever profiles get created on the LTM)?
Do I configure remote logging destination and publishers on the GTM or only on the LTM?
- Brad_ParkerAre you saying your "LTM" and "GTM" are two separate devices? What BigIP version are you running? While your GTM may not have the LTM module provisioned, the components of it still essentially run in LTM(tmm). You need to create a pool that you will be sending your high speed logging to(location in GUI depends on version), create a log destination that uses that pool, then use that destination in your log publisher(this is done in the log configuration). You then create your DNS logging profile using the publisher you created. Your new DNS logging profile will then be enabled in the DNS profile that is attached to your listener. All this is on the same device. Depending on the BigIP version, the location of these items in the GUI will be a little bit different.
- pedinopa_170325
Yes my GTM is a seperate system than my LTM. I am running 11.51 HF5. Since the GUI does not allow me to provision LTM objects do I need to do it command line. LTM functions are not licensed for this box.
- Brad_ParkerNope, the pools and nodes for HSL will live under DNS ›› Delivery : Load Balancing : Pools : Pool List. your DNS logging profile will live under DNS ›› Delivery : Profiles : Other : DNS Logging. Your log destination and publisher will live under System ›› Logs : Configuration : Log Destinations. Your DNS profile will live under DNS ›› Delivery : Profiles : DNS. And lastly your listener lives under DNS ›› Delivery : Listeners : Listener List. I hope this helps you more. Like I said while these items technically run in LTM it is under the hood in GTM. TMM is the process running these services and while its associated with LTM, it performs functions for several other modules without having to actually provision LTM.
- pedinopa_170325
Thank you for your help I think I see what I need now.
When I add the node member to the pool would the service profile be snmp?
Should the log destination use TCP or UDP (or do I need one for each protocol)
- Brad_ParkerThe port on the pool is dictated by your logging server and the protocol on the log destination is also dictated by your logging server. It will depend on your logging server, but most syslog servers use port 514 and UDP.
- pedinopa_170325
thank you
- pedinopa_170325
thank you
- Brad_Parkerplease remember to mark as answered if you feel your question was adequately answered.
