.TH djbdns-logparse 1
.SH NAME
-djbdns-logparse \- Convert tinydns and dnscache logs to human-readable form
+djbdns-logparse \- make tinydns and dnscache logs human-readable
.SH SYNOPSIS
+.SY djbdns-logparse
+.OP LOGFILE ...
+.YS
+
+.SY djbdns-logparse
+.B \-h
+.SY djbdns-logparse
+.B \-\-help
+.YS
-\fBdjbdns-logparse\fR [\fBLOGFILE\fR [\fBLOGFILE\fR...]]
.SH INPUT
.P
Each \fILOGFILE\fR should be a tinydns or dnscache log file; if none
.P
Reading the current dnscache log from stdin:
-.nf
+.EX
.I $ djbdns-logparse < /var/dnscache/log/main/current
2022-09-19 10:47:12.953666500 starting
2022-09-19 10:47:33.084125500 query #1 127.0.0.1:44339 (id 9929) a www.example.com.
2022-09-19 10:47:37.931255500 rr 192.168.1.1 TTL=86400 txt www.example.com. 32:"wgyf8z8cgvm2qmxpnbnldrcltvk4xqf..."
2022-09-19 10:47:37.931297500 stats count=2 motion=131 udp-active=1 tcp-active=0
2022-09-19 10:47:37.931332500 sent #2 102
-.fi
+.EE
.SH OPTIONS
-.IP \fB\-\-help\fR,\ \fB\-h\fR
+.TP
+.B \-\-help, \-h
Display detailed program usage.
.SH TRANSFORMATIONS
+A number of transformations are applied to the raw logs. Some are
+specific to tinydns, others are specific to dnscache, and some apply
+to both. In explaining these, we borrow terminology from the following:
+
+.IP \(bu 2
+.UR https://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html
+Rob Mayoff's notes on the tinydns log file format
+.UE
+.IP \(bu
+.UR https://www.dqd.com/~mayoff/notes/djbdns/dnscache-log.html
+Rob Mayoff's notes on the dnscache log file format
+.UE
+
+.P
The following transformations are common to both daemons' logs:
.IP \(bu 2
The leading timestamps are piped through the
\(dq0000:0000:0000:0000:0000:ffff:7f00:0001\(dq.
.IP \(bu
Port numbers are converted from hexedecimal to decimal.
+.IP \(bu
+The query type id is converted to the corresponding RFC-defined type
+name, as in https://en.wikipedia.org/wiki/List_of_DNS_record_types.
+While dnscache logs the id in decimal, tinydns records it in
+hexadecimal (for example, \(dq001c\(dq) necessitating a hex->decimal
+conversion before we can look up its name.
+
.P
The following transformations are specific to tinydns:
.IP \(bu 2
-The hexadecimal query type id (for example, \(dq001c\(dq) is converted
-first to decimal, and then to the corresponding RFC-defined type name,
-as in https://en.wikipedia.org/wiki/List_of_DNS_record_types
+If a query was dropped, the symbol (\-, I, C, /) indicating the reason
+is converted to English and wrapped in parentheses:
+.RS
+.TP
+.B \-
+(no authority)
+.TP
+.B I
+(invalid query)
+.TP
+.B C
+(invalid class)
+.TP
+.B /
+(couldn't parse)
+.RE
+.IP \(bu
+The request id (which was chosen by the client and sent with its
+request) is split off the end of the \(dqip:port:id\(dq triplet and is
+placed in parentheses with the word \(dqid\(dq, like \(dq(id
+8675309)\(dq.
.SH BUGS
-Send bugs to michael@orlitzky.com.
+Send bugs to
+.MT michael@orlitzky.com
+Michael Orlitzky
+.ME
projects / djbdns-logparse.git / blobdiff