Provided by: lire_2.1.1-2.1_all bug

NAME

       bind9_query2dlf - convert BIND9 querylogs to dlf

SYNOPSIS

       bind9_query2dlf

DESCRIPTION

       bind9_query2dlf expects BIND 9 query log files on stdin.

       If you have a

               channel query_logging {
                       file "/var/log/named_querylog"
                       versions 3 size 100M;
                       print-time yes;                 // timestamp log entries
               };

       in your named.conf, the produced logfiles are supported.  Optionally, you could add

                       print-category yes;             // print category name
                       print-severity yes;             // print severity level

       to this channel.  Query logs as produced by a patched BIND (see NOTES below) are supported
       too.

       We also support Bind 9.3 log file which uses a new date format (15-Jul-2002) instead of
       the old-syslog one.

EXAMPLE

       With print-time, print-category and print-severity set:

        Feb 25 11:09:43.651 queries: info: client 10.0.0.3#1035:
         query: 3.example.com.nl IN A
        Feb 25 11:09:48.739 queries: info: client 10.0.0.3#1035:
         query: 3.example.com.nl IN A
        Feb 25 12:50:32.476 queries: info: client 10.0.0.3#1035:
         query: 21.example.com.co.uk IN A
        Feb 25 12:50:34.110 queries: info: client 10.0.0.3#1035:
         query: 22.example.com IN A
        Feb 25 12:50:34.525 lame-servers: info: lame server on
         '22.example.com' (in '23.example.com'?): 10.0.0.4#53
        Feb 25 12:50:34.715 queries: info: client 10.0.0.3#1035:
         query: 24.example.com IN A
        Feb 26 07:30:08.211 queries: info: client 10.0.0.1#1050:
         query: 1.0.0.10.in-addr.arpa IN PTR
        Feb 26 12:26:55.455 queries: info: client 10.0.0.1#1051:
         query: 28.example.com.nl IN MX
        Feb 04 04:02:00.932 general: info: loading configuration
         from '/etc/336.example.com'
        Feb 18 04:02:01.023 security: warning: zone
         '337.example.com.nl' allows updates by IP address, which
         is insecure
        Feb 18 04:02:01.049 config: warning: option 'use-id-pool'
         is obsolete
        Feb 18 04:02:01.049 config: warning: option 'check-names'
         is not implemented
        Feb 18 04:02:01.049 config: warning: option
         'statistics-interval' is not yet implemented
        Feb 18 04:02:01.049 network: info: no IPv6 interfaces found
        Feb 04 16:47:18.289 security: info: client 10.0.0.201#137:
         query denied
        Feb 20 07:26:53.731 general: info: running
        Feb 13 08:01:56.138 general: info: shutting down
        Feb 13 08:01:56.140 network: info: no longer listening on
         10.0.0.3#53
        Feb 14 08:02:13.983 general: info: refresh_callback: zone
         384.example.com/IN: failure for 10.0.0.204#53: timed out

       With only print-time set:

        Aug 27 04:07:13.361 client 127.0.0.1#3123: query: foo.com IN ANY
        Aug 27 04:07:13.438 client 127.0.0.1#3123: query: fu.bar.nl IN AAAA
        Aug 27 04:07:13.443 client 127.0.0.1#3123: query: fu.bar.nl IN A

EXAMPLES

       To process a log as produced by bind9:

        $ bind9_query2dlf < dns-query

       bind9_query2dlf will be rarely used on its own, but is more likely called by
       lr_log2report:

        $ lr_log2report bind9_query < /var/log/dns-query

NOTES

       Bind9 versions before 9.3 did not log wether the query was recursive, therefore the last
       dlf field (DLF_RESOLVER) is a '-'.  However, applying this patch by Wytze van der Raay:

        # patch bin/named/query.c to log recursive/non-recursive query indication
        SRC=bin/named/query.c
        if [ -f ${SRC}.org ]
        then
                echo "Patched ${SRC} already in place"
        else
                echo "Patch ${SRC} for recursive/non-recursive query indication"
                cp -p ${SRC} ${SRC}.org
                patch -p0 ${SRC} <<\!
        --- bin/named/query.c.org       Mon Sep 24 22:57:48 2001
        +++ bin/named/query.c   Tue Sep 25 09:55:21 2001
        @@ -3272,7 +3272,8 @@
                dns_rdatatype_format(rdataset->type, typename, sizeof(typename));

                ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
        -                     level, "query: %s %s %s", namebuf, classname, typename);
        +                     level, "query: %s %s %s%s", namebuf, classname, typename,
        +                     WANTRECURSION(client) ? "+" : "-");
         }

         void
        !
        fi

       will yield loglines like

        Nov 11 12:06:42.829 queries: info: client 10.0.0.1#3664:
          query: 6.example.com.nl IN A+

       A '+' indicates a recursive query, - indicates a non-recursive query, the lack of + or -
       indicates a non-patched pre-9.3 bind9.  See Wytze's message of Fri, 28 Dec 2001 16:56:30
       +0100 on bind9-workers@isc.org , archived at
       http://www.mail-archive.com/bind9-workers@isc.org/msg00501.html .

       This type of logfiles is recognised by the script.

       BIND 9.3 or later does offer full support for this logging feature.  In addition, it logs
       view, signer and EDNS information, all of which will be ignored by this version of the
       script.

       In a private discussion on Thu, 18 Jul 2002 07:55:22 +0200, Wytze wrote:

        This contains the "ISC-compatible" version of  the patch for getting a
        recursive/non-recursive request logged. ISC decided there should be a space
        between the type and the recursion indicator in the logfile, so be it.

       If you want to have your BIND 9.2.1 to log in the ISC-compatible 9.3 style, apply this
       patch to your BIND sources:

        --- bin/named/query.c.org       Thu Mar 28 06:10:09 2002
        +++ bin/named/query.c   Wed Jul 17 08:14:41 2002
        @@ -3279,7 +3279,8 @@
                dns_rdatatype_format(rdataset->type, typename, sizeof(typename));

                ns_client_log(client, NS_LOGCATEGORY_QUERIES, NS_LOGMODULE_QUERY,
        -                     level, "query: %s %s %s", namebuf, classname, typename);
        +                     level, "query: %s %s %s %s", namebuf, classname, typename,
        +                     WANTRECURSION(client) ? "+" : "-");
         }

         void

       .  This script understands both Wytze-style and ISC-style recursiveness indication.

THANKS

       Wytze van der Raay, for supplying the BIND 9 query log patch.

SEE ALSO

       bind8_query2dlf(1), The bind9 online documentation, as distributed with BIND (but
       unfortunately not online at http://isc.org/ , you might like
       http://doc.mdcc.cx/doc/bind/html/logging.html though)

VERSION

       $Id: bind9_query2dlf.in,v 1.7 2006/07/23 13:16:33 vanbaal Exp $

COPYRIGHT

       Copyright (C) 2001 Joost Bekkers <joost@jodocus.org>, Copyright (C) 2000, 2001, 2002
       Stichting LogReport Foundation LogReport@LogReport.org

       This program is free software; you can redistribute it and/or modify it under the terms of
       the GNU General Public License as published by the Free Software Foundation; either
       version 2 of the License, or (at your option) any later version.

       This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY;
       without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
       See the GNU General Public License for more details.

       You should have received a copy of the GNU General Public License along with this program
       (see COPYING); if not, check with http://www.gnu.org/copyleft/gpl.html.

AUTHOR

       Joost Bekkers <joost@jodocus.org>, based on Edwin Groothuis and Joost van Baal's work, now
       maintained by the LogReport team.