Example Session with NBS

1 BIND 9 Logging-Configuration for Artificial Ignorance

For AI log analysis we don't want to have the time-stamp or severity in the log messages.

Below is a BIND 9 configuration fragment for an AI log file. It is recommended to write the same log messages also into other file or syslog channels: 

  channel ai  {
     file "ai-bind.log"
     versions 1
     size 100M;
     print-time no;
     print-severity no;
     severity warning;
  };

  category default        { default_syslog;  named; ai; };
  category general        { default_syslog;  named; ai; };
  category security       { security; ai; };
  category dnssec         { dnssec; ai; };
  category database       { capacity; };
  category client         { default_syslog; named; ai; };
  category network        { default_syslog; named; ai; };

2 Installation of NBS on Debian Linux

  • Install Berkeley-DB including header file (and the Debian build tools) 
apt install libdb-dev build-essential
  • load and extract the NBS source code. Please note the License included in the NBS source. NBS is not free software! 
cd ~/src
wget http://www.ranum.com/security/computer_security/code/nbs.tar
tar xvf nbs.tar
cd nbs
  • For the NBS source to compile on modern GCC/CLANG compiler, we need to patch the code a little 
sed -i 's/.*extern\tint\terrno;.*/#include <errno.h>/' nbspreen.c
  • Compile the NBS source and install the program binaries 
make
sudo cp nbs nbsmk nbspreen nbsdump /usr/local/bin
  • Create a directory for the NBS database files 
sudo mkdir /var/lib/nbs
  • Create a new, empty NBS database for the BIND 9 log analysis 
cd /var/lib/nbs
nbsmk -d bind9.nbs

3 Using NBS on the BIND 9 log file

  • Import the existing BIND 9 AI log-file into the database 
nbs -d bind9.nbs -i /var/cache/bind/ai.log -s
[...]
managed-keys-zone: journal file is out of date: removing journal file
managed-keys-zone: loaded serial 6
zone 0.in-addr.arpa/IN: loaded serial 1
zone 255.in-addr.arpa/IN: loaded serial 1
zone 127.in-addr.arpa/IN: loaded serial 1
zone localhost/IN: loaded serial 2
all zones loaded
running
managed-keys-zone: Key 20326 for zone . acceptance timer complete: key now trusted
resolver priming query complete
NBS completed run (0 sec)
10 never before seen entries
10 lines of input processed (100.00% NBS)
10 total entries in database
  • Wait for new log entries 
nbs -d bind9.nbs -i /var/cache/bind/ai-bind.log -s
  • The output will list all new log entries, and a summary: 
received control channel command 'stop'
shutting down: flushing changes
stopping command channel on 127.0.0.1#953
stopping command channel on ::1#953
no longer listening on ::#53
no longer listening on 127.0.0.1#53
no longer listening on 161.35.222.138#53
no longer listening on 10.19.0.7#53
no longer listening on 10.135.0.3#53
exiting
managed-keys-zone: loaded serial 8
transfer of 'dnssec.works/IN' from 5.45.109.212#53: connected using 161.35.222.138#53105
NBS completed run (0 sec)
12 never before seen entries
170 lines of input processed (7.06% NBS)
150 total entries in database
  • The NBS output can be appended to a log-file (here the file /var/log/nbs-bind.log) 
nbs -d bind9.nbs -i /var/cache/bind/ai-bind.log -a /var/log/nbs-bind.log