Provided by: lire_2.1.1-2.1_all 
NAME
bind9_query2dlf - convert BIND9 querylogs to dlf
SYNOPSIS
bind9_query2dlf
DESCRIPTION
bind9_query2dlf expects BIND 9 query log files on stdin.
If you have a
channel query_logging {
file "/var/log/named_querylog"
versions 3 size 100M;
print-time yes; // timestamp log entries
};
in your named.conf, the produced logfiles are supported. Optionally, you could add
print-category yes; // print category name
print-severity yes; // print severity level
to this channel. Query logs as produced by a patched BIND (see NOTES below) are supported too.
We also support Bind 9.3 log file which uses a new date format (15-Jul-2002) instead of the old-syslog
one.
EXAMPLE
With print-time, print-category and print-severity set:
Feb 25 11:09:43.651 queries: info: client 10.0.0.3#1035:
query: 3.example.com.nl IN A
Feb 25 11:09:48.739 queries: info: client 10.0.0.3#1035:
query: 3.example.com.nl IN A
Feb 25 12:50:32.476 queries: info: client 10.0.0.3#1035:
query: 21.example.com.co.uk IN A
Feb 25 12:50:34.110 queries: info: client 10.0.0.3#1035:
query: 22.example.com IN A
Feb 25 12:50:34.525 lame-servers: info: lame server on
'22.example.com' (in '23.example.com'?): 10.0.0.4#53
Feb 25 12:50:34.715 queries: info: client 10.0.0.3#1035:
query: 24.example.com IN A
Feb 26 07:30:08.211 queries: info: client 10.0.0.1#1050:
query: 1.0.0.10.in-addr.arpa IN PTR
Feb 26 12:26:55.455 queries: info: client 10.0.0.1#1051:
query: 28.example.com.nl IN MX
Feb 04 04:02:00.932 general: info: loading configuration
from '/etc/336.example.com'
Feb 18 04:02:01.023 security: warning: zone
'337.example.com.nl' allows updates by IP address, which
is insecure
Feb 18 04:02:01.049 config: warning: option 'use-id-pool'
is obsolete
Feb 18 04:02:01.049 config: warning: option 'check-names'
is not implemented
Feb 18 04:02:01.049 config: warning: option
'statistics-interval' is not yet implemented
Feb 18 04:02:01.049 network: info: no IPv6 interfaces found
Feb 04 16:47:18.289 security: info: client 10.0.0.201#137:
query denied
Feb 20 07:26:53.731 general: info: running
Feb 13 08:01:56.138 general: info: shutting down
Feb 13 08:01:56.140 network: info: no longer listening on
10.0.0.3#53
Feb 14 08:02:13.983 general: info: refresh_callback: zone
384.example.com/IN: failure for 10.0.0.204#53: timed out
With only print-time set:
Aug 27 04:07:13.361 client 127.0.0.1#3123: query: foo.com IN ANY
Aug 27 04:07:13.438 client 127.0.0.1#3123: query: fu.bar.nl IN AAAA
Aug 27 04:07:13.443 client 127.0.0.1#3123: query: fu.bar.nl IN A
EXAMPLES
To process a log as produced by bind9:
$ bind9_query2dlf < dns-query
bind9_query2dlf will be rarely used on its own, but is more likely called by lr_log2report:
$ lr_log2report bind9_query < /var/log/dns-query
NOTES
Bind9 versions before 9.3 did not log wether the query was recursive, therefore the last dlf field
(DLF_RESOLVER) is a '-'. However, applying this patch by Wytze van der Raay:
# patch bin/named/query.c to log recursive/non-recursive query indication
SRC=bin/named/query.c
if [ -f ${SRC}.org ]
then
echo "Patched ${SRC} already in place"
else
echo "Patch ${SRC} for recursive/non-recursive query indication"
cp -p ${SRC} ${SRC}.org
patch -p0 ${SRC} <<\!
--- bin/named/query.c.org Mon Sep 24 22:57:48 2001
+++ bin/named/query.c Tue Sep 25 09:55:21 2001
@@ -3272,7 +3272,8 @@
dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
- level, "query: %s %s %s", namebuf, classname, typename);
+ level, "query: %s %s %s%s", namebuf, classname, typename,
+ WANTRECURSION(client) ? "+" : "-");
}
void
!
fi
will yield loglines like
Nov 11 12:06:42.829 queries: info: client 10.0.0.1#3664:
query: 6.example.com.nl IN A+
A '+' indicates a recursive query, - indicates a non-recursive query, the lack of + or - indicates a non-
patched pre-9.3 bind9. See Wytze's message of Fri, 28 Dec 2001 16:56:30 +0100 on bind9-workers@isc.org ,
archived at http://www.mail-archive.com/bind9-workers@isc.org/msg00501.html .
This type of logfiles is recognised by the script.
BIND 9.3 or later does offer full support for this logging feature. In addition, it logs view, signer
and EDNS information, all of which will be ignored by this version of the script.
In a private discussion on Thu, 18 Jul 2002 07:55:22 +0200, Wytze wrote:
This contains the "ISC-compatible" version of the patch for getting a
recursive/non-recursive request logged. ISC decided there should be a space
between the type and the recursion indicator in the logfile, so be it.
If you want to have your BIND 9.2.1 to log in the ISC-compatible 9.3 style, apply this patch to your BIND
sources:
--- bin/named/query.c.org Thu Mar 28 06:10:09 2002
+++ bin/named/query.c Wed Jul 17 08:14:41 2002
@@ -3279,7 +3279,8 @@
dns_rdatatype_format(rdataset->type, typename, sizeof(typename));
ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
- level, "query: %s %s %s", namebuf, classname, typename);
+ level, "query: %s %s %s %s", namebuf, classname, typename,
+ WANTRECURSION(client) ? "+" : "-");
}
void
. This script understands both Wytze-style and ISC-style recursiveness indication.
THANKS
Wytze van der Raay, for supplying the BIND 9 query log patch.
SEE ALSO
bind8_query2dlf(1), The bind9 online documentation, as distributed with BIND (but unfortunately not
online at http://isc.org/ , you might like http://doc.mdcc.cx/doc/bind/html/logging.html though)
VERSION
$Id: bind9_query2dlf.in,v 1.7 2006/07/23 13:16:33 vanbaal Exp $
COPYRIGHT
Copyright (C) 2001 Joost Bekkers <joost@jodocus.org>, Copyright (C) 2000, 2001, 2002 Stichting LogReport
Foundation LogReport@LogReport.org
This program is free software; you can redistribute it and/or modify it under the terms of the GNU
General Public License as published by the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.
This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even
the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public
License for more details.
You should have received a copy of the GNU General Public License along with this program (see COPYING);
if not, check with http://www.gnu.org/copyleft/gpl.html.
AUTHOR
Joost Bekkers <joost@jodocus.org>, based on Edwin Groothuis and Joost van Baal's work, now maintained by
the LogReport team.
Lire 2.1.1 2006-07-23 BIND9_QUERY2DLF.IN(1)