bind-query-log-statistics icon indicating copy to clipboard operation
bind-query-log-statistics copied to clipboard

Published 20 hours ago verified publisher icon Matty9191

Bind 9.11 Log Format

Open mdrisser opened this issue 7 years ago • 3 comments

After a recent upgrade of my systems to Ubuntu 18.04 which provides Bind 9.11.3 I found that your script wouldn't parse the log files. I fixed the issue by adding the following to process_query at line 179:

"""
# Bind 9.11
04-Jun-2018 14:48:15.540 queries: info: client @0x7fda1d74e7d0 \
192.168.1.6#60844 (prefetch.net): query: prefetch.net IN A +E(0)D \
(192.168.1.250)
"""
    elif len(chopped) == 10:
        timestamp = chopped[0] + " " + chopped[1]
        """ Had to change the item reference in chopped[] below because they added a memory location
             in the middle of everything, instead of putting it at the end
        """
        client_ip = chopped[3].split("#")[0]
        """ That also shifted the rr_type over
        """
        rr_type = chopped[7]
        dns_question = chopped[4]

I hope this helps.

mdrisser avatar Jun 05 '18 21:06 mdrisser

Is this the entry that is showing up in your logs?:

04-Jun-2018 14:48:15.540 queries: info: client @0x7fda1d74e7d0
192.168.1.6#60844 (prefetch.net): query: prefetch.net IN A +E(0)D
(192.168.1.250)

Want to triple check before committing the change.

Matty9191 avatar Jun 06 '18 02:06 Matty9191

Yes it is. I followed the examples you have in your comments. Copied and pasted from my logs, just changed the domain name.

On Tue, Jun 5, 2018, 7:00 PM Matty [email protected] wrote:

Is this the entry that is showing up in your logs?:

04-Jun-2018 14:48:15.540 queries: info: client @0x7fda1d74e7d0 192.168.1.6#60844 (prefetch.net): query: prefetch.net IN A +E(0)D (192.168.1.250)

Want to triple check before committing the change.

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/Matty9191/bind-query-log-statistics/issues/2#issuecomment-394915591, or mute the thread https://github.com/notifications/unsubscribe-auth/AABir0_XZhGpwa_g8hWypMyYcCCbNK2_ks5t5zfTgaJpZM4UbnWB .

mdrisser avatar Jun 06 '18 02:06 mdrisser

I ran into the same problem and can confirm the provided fix, here's the diff without the comments (oddly, it needs to be added at line 174 not 179):

173a174,179
>     elif len(chopped) == 10:
>         timestamp = chopped[0] + " " + chopped[1]
>         client_ip = chopped[3].split("#")[0]
>         rr_type = chopped[7]
>         dns_question = chopped[4]
>

callesoe avatar Feb 09 '21 13:02 callesoe