Skip to content

cstrotm/logeater

master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
1 branch 0 tags
Code
This branch is 4 commits ahead of menandmice-services:master.

Latest commit

 

Git stats

Files

Permalink
Failed to load latest commit information.
Type
Name
Latest commit message
Commit time
LICENSE
Initial commit
January 10, 2017 09:51
README.md
Webinar
February 3, 2017 11:32
logeater-dnssec.go
Filter lines with text "validating"
February 17, 2021 16:11
logeater-queries.go
logeater queries 1st version
January 31, 2017 16:32
logeater-resolvers.go
Formatting, filter lines for "resolving"
February 17, 2021 16:08
logeater-update.go
Initial Version of logeater-update
February 17, 2021 16:19
logeater Example use of logeater-queries: Compiling from source BIND 9 versions Binary download More Information

README.md

logeater

Log-Aggregation Tools for BIND 9 logs

Example use of logeater-queries:

Statistics:

cat query.n | ./logeater-queries -s | column -t -s ":"
Query-Statistics
21385              total queries ( 100 % )
20471              iterative queries ( 95 % )
914                recursive queries ( 4  % )
863                queries over TCP ( 4  % )
16987              queries with EDNS support ( 79  % )
15197              queries indicate DNSSEC support ( 71  % )
8804               queries with DNSSEC validation disabled (CD-flag) ( 41  % )
1571               queries TSIG signed ( 7  % )

Example - printing network classes and query types of queries:

$ cat query.log | ./logeater-queries -c -t | column -t
Query-Network-Classes
21379                  :  IN
6                      :  CH

Query-Network-Types
8514                   :  A
4060                   :  AAAA
3079                   :  SOA
2372                   :  DNSKEY
927                    :  PTR
658                    :  MX
543                    :  NS
312                    :  DS
286                    :  TXT
186                    :  NSEC
129                    :  ANY
115                    :  CNAME

Example - printing the top ten query IP addresses with reverse name resolution (can be slow):

$ cat query.log | ./logeater-queries -i | head | column -t

Query-IP-Addresses
1571                :  212.114.206.217                   [muc.example.de.]
821                 :  2620:74:13:4400::41               [dnsviz-db.verisignlabs.com.]
794                 :  72.13.58.112                      [dnsviz-db.verisignlabs.com.]
704                 :  54.234.42.241                     [241.compute-1.amazonaws.com.]
682                 :  2001:19f0:5001:df:76d7:5703:ba0a:e220  []
565                 :  185.92.221.212                    [185.92.221.212.vultr.com.]
467                 :  185.22.143.29                     [b9168f1d.cgn.dg-w.de.]
314                 :  91.51.184.46                      [3b82e.dip0.t-ipconnect.de.]

logeater-dnssec analyses the a log file with messages from the "DNSSEC" category and groups the error messages :

$ cat dnssec.log | ./logeater-dnssec | head
8727 : 0C9F6LGOE6NADAS8KG1CLIK9UO9G7EIG.ad/NSEC3: no valid signature found
6953 : ad/SOA: no valid signature found
3976 : sat-tv.com/A: got insecure response; parent indicates it should be secure
1730 : mozilla.com/SOA: no valid signature found
1586 : stream.bestvideostreaming.is/A: no valid signature found
1577 : 8FC1DQ3C2Q3ERFD4UO40ENDBTSFME5JO5.ad/NSEC3: no valid signature found
1576 : sat-tv.com/SOA: got insecure response; parent indicates it should be secure
1576 : cdws.eu-west-1.amazonaws.com.Cisco/AAAA: bad cache hit (amazonaws.com.Cisco/DS)
1483 : 0c9f6lgoe6n13ad9iu1clik9uo9g7eig.ad/NSEC3: no valid signature found
968 : cbr.de/NSEC: no valid signature found

logeater-resolver analyses the a log file with messages from the "resolver" category and groups the error messages:

$ cat resolvers.log | ./logeater-resolvers | head
42908 : s-cnc1.qq.com/AAAA: Name qq.com (SOA) not subdomain of zone ns-cnc1.qq.com -- invalid response
42713 : s-tel1.qq.com/AAAA: Name qq.com (SOA) not subdomain of zone ns-tel1.qq.com -- invalid response
42484 : s-os1.qq.com/AAAA: Name qq.com (SOA) not subdomain of zone ns-os1.qq.com -- invalid response
42297 : s-cmn1.qq.com/AAAA: Name qq.com (SOA) not subdomain of zone ns-cmn1.qq.com -- invalid response
20346 : mails.sonymusicfans.com/DS: invalid response
10920 : tp1.glb.nist.gov/DS: invalid response
9693 : media.netd.com.tr/AAAA for client 192.0.2.165#3347: Name netd.com.tr (SOA) not subdomain of zone media.netd.com.tr -- invalid response
7932 : service.superc.net/AAAA for client 192.0.2.11#3073: Name superc.net (SOA) not subdomain of zone service.superc.net — invalid response
04597 : brickleonavon.com/NS for client 192.0.2.46#3073: Name . (SOA) not subdomain of zone brickleonavon.com -- invalid response
4474 : promo.mobile.de/AAAA for client 2001:db8:1800:88:78f9:ba4:45fe:d438#48296: Name mobile.de (SOA) not subdomain of zone promo.mobile.de -- invalid response

Compiling from source

Install git (https://git-scm.com/) and the go (https://golang.org) programming language. Both are available in the repositories of most Linux and BSD distributions.

Download the source

git clone https://github.com/menandmice-services/logeater.git

Compile the source

cd logeater
go build logeater-queries.go
go build logeater-resolvers.go
go build logeater-dnssec.go

BIND 9 versions

Tested with BIND 9.10 and BIND 9.11.

Binary download

Binary versions of the logeater tool can be found at http://packages.menandmice.com/logeater/

More Information

The logeater tools have been discussed in the "BIND 9 logging best practices" Webinar by Men & Mice:

https://www.menandmice.com/resources/educational-resources/webinars/bind-9-logging-best-practices/

About

Log-Aggregation Tools for BIND 9 logs

Resources

Readme

License

BSD-3-Clause license

Stars

10 stars

Watchers

1 watching

Forks

1 fork

Releases

No releases published

Packages

No packages published

Languages

  • Go 100.0%