.\" Process this file with .\" groff -man -Tascii dnshistory.1 .\" $Id: dnshistory.1 68 2007-01-23 11:12:33Z steve $ .TH "DNSHISTORY" "1" "JANUARY 2007" "Linux" "User Commands" .SH "NAME" \fBdnshistory\fP \- processes various log file formats doing dns IP Address lookups. Store these pairs in a database for later retrieval. .SH "SYNOPSIS" .B dnshistory [\fIOPTION\fP]... [\fI\-\-file=FILE\fP] .SH "COPYRIGHT" \fBdnshistory\fP is Copyright \(co 2004, 2005, 2006, 2007 Stephen McInerney .SH "DESCRIPTION" .B \fBdnshistory\fP currently processes Apache CLF and Combined logs, Squid access logs, FTP xferlog files and iptables based logs. The log format is auto-detected. .PP .B \fBdnshistory\fP has five modes of operation: .B .IP \(bu Do Lookups. The default mode. Given a web log file, \fBdnshistory\fP will perform DNS reverse lookups on each unique IP Address and store the results in a history database. .B .IP \(bu Do Translations. Given a raw web log file, \fBdnshistory\fP will make use of a previously created history database and send to \fISTDOUT\fP the same web log but with addresses replaced by the Fully Qualified Domain Name as previously looked up. .B .IP \(bu Do Recombining. Given two web log files, one raw and one previously translated (eg. by using dnstran): Create a history database from the values in these separate log files. .B .IP \(bu Do Dump. Dump a given history database to \fISTDOUT\fP. .B .IP \(bu Do Import. Import a previously dumped history database from a given file. .B .IP \(bu Show History. Given one or more IP Addresses on the command line, show the history of those addresses. .PP The lookups make use of threads for maximum speed, and use the standard resolution libraries on a system. Thus hosts files, NIS, LDAP and other name resolution methods should work transparently. .PP It is \fBstrongly\fP recommended that for massive lookups a DNS server is "nearby". Preferably not a forwarding server. .PP \fBdnshistory\fP can read \fI.gz\fP files. \fISTDIN\fP is assumed to \fBnot\fP be gz encoded. .SH "OPTIONS" .IP "\-L \-\-dolookups" The default mode. Given a log file, either via \fISTDIN\fP or via '\-f', do the lookups and store the results. .IP "\-T \-\-dotranslate" Given a log file, either via \fISTDIN\fP or via '\-f', lookup each IP Address from the history database; replace the IP Address with the FQDN and send the newly updated log line to \fISTDOUT\fP. .IP "\-R \-\-dorecombine=FILE" Given a previously translated file (eg. via dnstran) via this option for the names, do the lookups for a file given via \fISTDIN\fP or '\-f' and store the results. This file can be gz encoded. .IP The date/time of each stored entry is taken as being the actual time for the lookup stored in the recombine log file. This is probably incorrect, but "Good Enough". .IP "\-D \-\-dodump" Dump the history database to \fISTDOUT\fP. .IP "\-I \-\-doimport=FILE" Given a previously dumped database, import that into a new database. Will fail and exit if the chosen database already exists. .IP "\-S \-\-showhistory" Given one or more IP Addresses show their history. Address are the last item(s) on the command line. Addresses with no as yet discovered FQDN will display 'NONAME'. The Date/Time displayed is formatted as YYYY-MM-DD:hh:mm:ss, vs the 'seconds since epoch' for "\-\-dodump" .IP "\-\-logtype=LOGTYPE" By default \fBdnshistory\fP will attempt to autodetect what type of logfile is being processed. By using this option, the autodetection is overridden. The choices are: auto, clf or www, squid, ftp or iptables. .IP "\-c \-\-cache=SIZE" Set the size of the memory cache to use. Value is in Mb. Default is 20Mb. .IP "\-d \-\-database=FILE" Change the default database file to use to store stateful data. .IP "\-f \-\-file=FILE" Web Log File to process. This file can be gz encoded. .br Will use \fISTDIN\fP if not set .IP "\-h \-\-help" Help screen. Very brief. .IP "\-l \-\-maxlookups=NUMBER" The maximum number of lookups to attempt. The default is 1. This has not shown to be at all useful in testing... .IP "\-m \-\-maxthreads=NUMBER" How many name lookup threads to spawn off. The default is 100. Setting this too high can do evil things to bandwidth and the CPU usage of any queried DNS server(s). If doing lots of DNS queries, setting this too high can have a very negative impact on the ability to successfully resolve anything. .IP "\-t \-\-timeout=VALUE" The time in seconds before a stored DNS value is deemed "old". The default is 7 days. .IP "\-v \-\-verbose" Verboseness of a run. More v's will increase the level of verbosity, up to a maximum of 5. All of the higher levels are only of value for debugging purposes. .IP "\-V \-\-version" Display the version information and exit .IP "\-w \-\-wait" Delay time between query retries within a single run .SH "RESULTS" At verbose level 1 (\-v) some success/failure counters will be displayed. As well as any problematic log lines to STDERR. .br At verbose level 2 (\-vv) lines that may not match up (eg. Due to dnstran modifying referrers or URL's) will be sent to STDERR. .br Verbose levels above 2 are only of use in debugging. .SH "EXAMPLES" A typical run, using a database in /tmp/ (/tmp/c.db), and a log file in the current directory (test.log). First, do the lookups: .PP .ti +4 dnshistory \-d /tmp/c.db \-f test.log .PP Then the translation run for input into, for example, a web log analyser: .PP .ti +4 dnshistory \-T \-d /tmp/c.db \-f test.log | webalizer .... Do three attempts on failed queries, with a 2 second delay between retries: .PP .ti +4 dnshistory \-l 3 \-w 2 \-d /tmp/c.db \-f test.log Lookup and Display the history of three IP Addresses: 127.0.0.1,192.168.1.254,10.10.10.10 .PP .ti +4 dnshistory \-S \-d /tmp/c.db 127.0.0.1 192.168.1.254 10.10.10.10 Import a previously dumped database via dnsdb.dump .PP .ti +4 dnshistory \-I dnsdb.dump \-d /tmp/d.db .SH "FILES" .I /var/lib/dnshistory/dnshistory.db .br .ti +4 The default history database file. .SH "BUGS" .B .IP \(bu Ignores IP Addresses located in the URL and Referrer fields. .SH "AUTHOR" Stephen McInerney