nanog mailing list archives
Re: bind verbose logging
From: Mike Hale <eyeronic.design () gmail com>
Date: Thu, 9 May 2013 20:27:33 -0700
I'll send over some info tomorrow. Shoot me a reminder if you don't get it by the later afternoon. I wouldn't really call it a schema...it's just a simple field extraction bash script that then generates the sql inserts. Like I said...quick and dirty. Afte coding it from scratch, I'm starting to like the idea of using Splunk as a front-end to analyze the logs. You may want to look at using that rather than coding one by hand. The free version can index 500 megs a day...which is a *lot* of queries. On Thu, May 9, 2013 at 8:14 PM, shawn wilson <ag4ve.us () gmail com> wrote:
Thanks, that's what I'm looking for. Mike, sure I wouldn't mind schema ideas. On Thu, May 9, 2013 at 10:56 PM, staticsafe <me () staticsafe ca> wrote:On 5/9/2013 22:52, shawn wilson wrote:In this log line, what is -EDC? I've also noticed +, -, -E, and -ED but I have no Idea what they are (called/represent). 08-May-2013 08:04:49.751 client 1.2.3.4#48747 (ns2.example.com): query: ns2.example.com IN AAAA -EDC (1.2.3.4) Also, I'm writing a parser and we're only loging 'queries' but if someone has examples / schemas for the other categories, I'd like to integrate that. http://www.zytrax.com/books/dns/ch7/logging.html"+EDC on a query indicates that it is: - Recursive (+) - it has come from a client or a server that is forwarding queries to your server - The sender is using EDNS0 (using larger UDP packet sizes and signalling the size that can be accepted) - The sender understands DNSSEC (D) - this is a request to your server to include any DNSSEC material associated with answer in the query reply. - DNSSEC validation checking is disabled (C) - the sender wants the answer anyway, even if the validation checks fail." Source - https://kb.isc.org/article/AA-00434/0/What-do-EDC-and-other-letters-I-see-in-my-query-log-mean.html Also see https://www.isc.org/software/bind/documentation for further documentation. -- staticsafe O< ascii ribbon campaign - stop html mail - www.asciiribbon.org Please don't top post - http://goo.gl/YrmAb Don't CC me! I'm subscribed to whatever list I just posted on.
-- 09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0
Current thread:
- bind verbose logging shawn wilson (May 09)
- Re: bind verbose logging staticsafe (May 09)
- Re: bind verbose logging shawn wilson (May 09)
- Re: bind verbose logging Mike Hale (May 09)
- Re: bind verbose logging shawn wilson (May 09)
- Re: bind verbose logging shawn wilson (May 09)
- Re: bind verbose logging staticsafe (May 09)
- Re: bind verbose logging Mike Hale (May 09)