doc/man1/djbdns-logparse.1: finish the tinydns transformation docs.

[djbdns-logparse.git] / doc / man1 / djbdns-logparse.1

.TH djbdns-logparse 1

.SH NAME
djbdns-logparse \- make tinydns and dnscache logs human-readable
.SH SYNOPSIS
.SY djbdns-logparse
.OP LOGFILE ...
.YS

.SY djbdns-logparse
.B \-h
.SY djbdns-logparse
.B \-\-help
.YS

.SH INPUT
.P
Each \fILOGFILE\fR should be a tinydns or dnscache log file; if none
are given, the program will read from stdin.
.SH DESCRIPTION
.P
Both tinydns and dnscache (two daemons in the djbdns suite) keep logs
of their activity, but only in an undocumented machine-oriented
format. The goal of djbdns-logparse is to parse those logs and make
them human-readable with a minimal amount of interference.
.SH EXAMPLES
.P
Reading the current dnscache log from stdin:

.EX
.I $ djbdns-logparse < /var/dnscache/log/main/current
2022-09-19 10:47:12.953666500 starting
2022-09-19 10:47:33.084125500 query #1 127.0.0.1:44339 (id 9929) a www.example.com.
2022-09-19 10:47:33.084128500 tx g=0 a www.example.com. . 192.168.1.1
2022-09-19 10:47:33.099298500 rr 192.168.1.1 TTL=40285 a www.example.com. 93.184.216.34
2022-09-19 10:47:33.099300500 stats count=1 motion=43 udp-active=1 tcp-active=0
2022-09-19 10:47:33.099377500 sent #1 49
2022-09-19 10:47:37.913287500 query #2 127.0.0.1:47516 (id 14409) txt www.example.com.
2022-09-19 10:47:37.913380500 tx g=0 txt www.example.com. . 192.168.1.1
2022-09-19 10:47:37.931252500 rr 192.168.1.1 TTL=86400 txt www.example.com. 11:"v=spf1 -all"
2022-09-19 10:47:37.931255500 rr 192.168.1.1 TTL=86400 txt www.example.com. 32:"wgyf8z8cgvm2qmxpnbnldrcltvk4xqf..."
2022-09-19 10:47:37.931297500 stats count=2 motion=131 udp-active=1 tcp-active=0
2022-09-19 10:47:37.931332500 sent #2 102
.EE
.SH OPTIONS

.TP
.B \-\-help, \-h
Display detailed program usage.
.SH TRANSFORMATIONS

A number of transformations are applied to the raw logs. Some are
specific to tinydns, others are specific to dnscache, and some apply
to both. In explaining these, we borrow terminology from the following:

.IP \(bu 2
.UR https://www.dqd.com/~mayoff/notes/djbdns/tinydns-log.html
Rob Mayoff's notes on the tinydns log file format
.UE
.IP \(bu
.UR https://www.dqd.com/~mayoff/notes/djbdns/dnscache-log.html
Rob Mayoff's notes on the dnscache log file format
.UE

.P
The following transformations are common to  both daemons' logs:
.IP \(bu 2
The leading timestamps are piped through the
\fBtai64nlocal\fR program.
.IP \(bu
IPv4 addresses are converted from hexadecimal strings to decimal
dotted-quads; for example \(dq7f000001\(dq becomes \(dq127.0.0.1\(dq.
IPv6 addresses simply have colons interspersed, so that
\(dq00000000000000000000ffff7f000001\(dq would become
\(dq0000:0000:0000:0000:0000:ffff:7f00:0001\(dq.
.IP \(bu
Port numbers are converted from hexedecimal to decimal.
.IP \(bu
The query type id is converted to the corresponding RFC-defined type
name, as in https://en.wikipedia.org/wiki/List_of_DNS_record_types.
While dnscache logs the id in decimal, tinydns records it in
hexadecimal (for example, \(dq001c\(dq) necessitating a hex->decimal
conversion before we can look up its name.

.P
The following transformations are specific to tinydns:
.IP \(bu 2
If a query was dropped, the symbol (\-, I, C, /) indicating the reason
is converted to English and wrapped in parentheses:
.RS
.TP
.B \-
(no authority)
.TP
.B I
(invalid query)
.TP
.B C
(invalid class)
.TP
.B /
(couldn't parse)
.RE
.IP \(bu
The request id (which was chosen by the client and sent with its
request) is split off the end of the \(dqip:port:id\(dq triplet and is
placed in parentheses with the word \(dqid\(dq, like \(dq(id
8675309)\(dq.


.SH BUGS

Send bugs to
.MT michael@orlitzky.com
Michael Orlitzky
.ME