X-Git-Url: https://gitweb.michael.orlitzky.com/?a=blobdiff_plain;f=doc%2Fman1%2Fdjbdns-logparse.1;h=fc546e9935f9f739de17b39b798ddd73dd903269;hb=HEAD;hp=5519032f3754d7f8297b981cc489891a721d2674;hpb=b92f64a49cd6ae8ba2210df02810ede43eb370fe;p=djbdns-logparse.git diff --git a/doc/man1/djbdns-logparse.1 b/doc/man1/djbdns-logparse.1 index 5519032..fc546e9 100644 --- a/doc/man1/djbdns-logparse.1 +++ b/doc/man1/djbdns-logparse.1 @@ -19,13 +19,13 @@ Each \fILOGFILE\fR should be a tinydns or dnscache log file; if none are given, the program will read from stdin. .SH DESCRIPTION .P -Both tinydns and dnscache (two daemons in the djbdns suite) keep logs -of their activity, but only in an undocumented machine-oriented +Tinydns and dnscache are two daemons in the djbdns suite. Both keep +logs of their activity, but only in an undocumented machine-oriented format. The goal of djbdns-logparse is to parse those logs and make them human-readable with a minimal amount of interference. .SH EXAMPLES .P -Reading the current dnscache log from stdin: +Read the current dnscache log from stdin: .EX .I $ djbdns-logparse < /var/dnscache/log/main/current @@ -42,6 +42,23 @@ Reading the current dnscache log from stdin: 2022-09-19 10:47:37.931297500 stats count=2 motion=131 udp-active=1 tcp-active=0 2022-09-19 10:47:37.931332500 sent #2 102 .EE + +Read all archived tinydns logs by filename: + +.EX +.I $ djbdns-logparse /var/tinydns/log/main/*.s | head -n 10 +2022-09-14 19:26:41.300364500 sent response to 192.168.0.46:53969 (id 35830): aaaa ipv6.example.com +2022-09-14 19:26:41.487751500 sent response to 192.168.1.71:20039 (id 1659): a example.net +2022-09-14 19:26:41.508978500 sent response to 192.168.1.71:48252 (id 21909): aaaa example.net +2022-09-14 19:26:41.627669500 sent response to 192.168.0.139:30527 (id 43254): a dns3.example.com +2022-09-14 19:26:41.668888500 sent response to 192.168.0.139:64880 (id 33302): a dns.example.com +2022-09-14 19:26:41.882769500 sent response to 10.0.1.194:51020 (id 5411): aaaa example.org +2022-09-14 19:26:42.135118500 dropped query (no authority) from 10.10.10.48:53220 (id 41583): a www.invalid +2022-09-14 19:26:42.254312500 sent response to 172.17.29.1:3079 (id 54381): aaaa mail2.example.com +2022-09-14 19:26:42.268802500 sent response to 172.17.30.135:38498 (id 57389): a dns2.example.com +2022-09-14 19:26:42.686389500 dropped query (no authority) from 172.20.0.57:20491 (id 43936): any localhost +.EE + .SH OPTIONS .TP @@ -66,7 +83,7 @@ Rob Mayoff's notes on the dnscache log file format The following transformations are common to both daemons' logs: .IP \(bu 2 The leading timestamps are piped through the -\fBtai64nlocal\fR program. +\fBtai64nlocal\fR program from DJB's daemontools. .IP \(bu IPv4 addresses are converted from hexadecimal strings to decimal dotted-quads; for example \(dq7f000001\(dq becomes \(dq127.0.0.1\(dq. @@ -107,6 +124,37 @@ request) is split off the end of the \(dqip:port:id\(dq triplet and is placed in parentheses with the word \(dqid\(dq, like \(dq(id 8675309)\(dq. +.P +The following transformations are specific to dnscache: +.IP \(bu 2 +In \(dqquery\(dq entries, the third component of the +clientip:clientport:id triplet is a decimal packet identifier chosen +and sent by the client. We separate it from the client ip:port, and +put it in parentheses, like \(dq(id 8675309)\(dq. +.IP \(bu +We prefix each decimal TTL with \(dqTTL=\(dq so that you know what +the magic number stands for. +.IP \(bu +All serial numbers are prefixed with a hash sign. This is the only +field that we do this to, so if you see a number with a \(dq#\(dq in +front of it, that's a serial number. +.IP \(bu +In a \(dqstats\(dq entry, the four decimal statistics are prefixed +with what they represent. Specifically, the prefixes are +\(dqcount=\(dq, \(dqmotion=\(dq, \(dqudp-active=\(dq, and +\(dqtcp-active=\(dq. You may want to read +.UR http://cr.yp.to/djbdns/cachesize.html +DJB's explanation of the \(dqmotion\(dq field +.UE +. +.IP \(bu +The hex data logged from a TXT query response is decoded to ASCII. +.IP \(bu +The decimal \(dqgluelessness\(dq field is prefixed by \(dqg=\(dq. +You may want to read +.UR http://cr.yp.to/djbdns/notes.html#gluelessness +DJB's explanation of gluelessness. +.UE .SH BUGS