Patch - tinydns support

Christopher Boumenot boumenot at divebomb.org
Mon Mar 10 01:04:49 CET 2003 

Greetings,

I have attached a patch that adds support to Lire for tinydns.  It
should apply cleanly to the latest version (1.2.1).  

There is a slight difference between tinydns and Bind in that tinydns is
an authoritative name server only, and dnscache (another component I
haven't yet added support for) is the recursive resolver, whereas Bind
combines them into a single binary.  Tinydns will only answer requests
for which it is authoritative, so the reporting behavior is
different/incorrect.

All requests for which tinydns is authoritative is considered a
nonrecursive request, all others are considered recursive.  

I noticed that qmail uses a different tool besides cat to read log
files, it appears that tai64nfrac is used to convert the TAI timestamps
to human readable form.  Instead, I am using cat and in the script I use
tai64nlocal to convert the timestamps.  I choose to use tai64nlocal
because it is installed as part of the distribution when installing
tinydns.

The code was verified using Perl 5.8.0, but no part of the code should
use any features above 5.0053.

Hopefully this is useful to someone else besides me, and any critism is
welcome.  


Regards,
Christopher Boumenot
-------------- next part --------------
diff -u -r ./all/script/lr_config.in ../lire-1.2.1-devel/all/script/lr_config.in
--- ./all/script/lr_config.in	Sat Nov 23 12:20:38 2002
+++ ../lire-1.2.1-devel/all/script/lr_config.in	Sat Mar  8 12:22:30 2003
@@ -120,7 +120,7 @@
 superservices="database dialup dns dnszone email firewall ftp msgstore print proxy spamfilter syslog www"
 services_database="mysql pgsql"
 services_dialup="isdnlog"
-services_dns="bind8_query bind9_query"
+services_dns="bind8_query bind9_query tinydns_query"
 services_dnszone="bind8_named"
 services_email="argomail exim postfix qmail sendmail nms"
 services_msgstore="dbmail nmsmmp nmsstore"
@@ -140,6 +140,7 @@
 
 log_default_dns_bind8_query_1="/var/log/named_querylog.0"
 log_default_dns_bind9_query_1="/var/log/named_querylog.0"
+log_default_dns_tinydns_query_1="/var/tinydns/log/main/current"
 
 log_default_dnszone_bind8_named_1="/var/log/named.log.0"
 
@@ -177,6 +178,9 @@
 
 filter_default_dns_bind8_query="cat"
 filter_default_dns_bind9_query="cat"
+# We could use tai64nfrac, but that would require the user
+# to have a package outside of the normal tinydns distribution
+filter_default_dns_tinydns_query="cat"
 
 filter_default_dnszone_bind8_named="cat"
 
diff -u -r ./configure.in ../lire-1.2.1-devel/configure.in
--- ./configure.in	Fri Nov 29 14:41:58 2002
+++ ../lire-1.2.1-devel/configure.in	Sun Mar  9 17:38:07 2003
@@ -178,6 +178,10 @@
 
 AC_PATH_PROG(PATHTOZIP, zip, no)
 
+dnl to decode djb's log files requires tai64nlocal
+AC_PATH_PROG(PATHTOTAI64NLOCAL, tai64nlocal, no)
+
+
 dnl ploticus is /usr/local/bin/pl on FreeBSD (and other BSD's too, probably)
 AC_PATH_PROGS(PATHTOPLOTICUS, ploticus pl, no)
 DEFAULT_IMAGE_STYLE=gd
@@ -880,6 +884,7 @@
    dns/script/Makefile
    dns/script/bind8_query2dlf
    dns/script/bind9_query2dlf
+   dns/script/tinydns_query2dlf
    dnszone/Makefile
    dnszone/filters/Makefile
    dnszone/reports/Makefile
diff -u -r ./dns/script/Makefile.am ../lire-1.2.1-devel/dns/script/Makefile.am
--- ./dns/script/Makefile.am	Sun Aug 18 21:52:26 2002
+++ ../lire-1.2.1-devel/dns/script/Makefile.am	Sun Mar  9 17:44:23 2003
@@ -20,8 +20,8 @@
 
 include $(top_srcdir)/include/rules.mk
 
-convertors_SCRIPTS = bind8_query2dlf bind9_query2dlf
+convertors_SCRIPTS = bind8_query2dlf bind9_query2dlf tinydns_query2dlf
 
-man_MANS = bind8_query2dlf.1 bind9_query2dlf.1
+man_MANS = bind8_query2dlf.1 bind9_query2dlf.1 tinydns_query2dlf.1
 
 CLEANFILES = $(man_MANS)
--- ./all/etc/address.cf	Sat Nov 23 04:18:27 2002
+++ ../lire-1.2.1-devel/all/etc/address.cf	Sun Mar  9 18:20:12 2003
@@ -59,6 +59,7 @@
 squid_access   proxy
 syslog         syslog
 test           test
+tinydns_query  dns
 w3c_extended   www
 watchguard     firewall
 welf	       firewall
--- ./all/lib/Time.pm	Sun Aug  4 21:44:11 2002
+++ ../lire-1.2.1-devel/all/lib/Time.pm	Sun Mar  9 18:37:22 2003
@@ -89,11 +89,15 @@
     my $tm_day = $day + 0;
 
     # process month
-    my $tm_month = $monthnumbers{ lc $month };
-    die("$sub cannot get monthnumber from monthname '$month'")
-      unless defined $tm_month;
+    my $tm_month;
+    if ($month =~ /\d+/) {
+	$tm_month = $month;
+    } else {
+	$tm_month = $monthnumbers{ lc $month };
+	die("$sub cannot get monthnumber from monthname '$month'")
+	    unless defined $tm_month;
+    }
 
-    
     return [ $tm_sec, $tm_min, $tm_hour, $tm_day, $tm_month  ];
 }
 
diff -u --new-file ./dns/script/tinydns_query2dlf.in ../lire-1.2.1-devel/dns/script/tinydns_query2dlf.in
--- ./dns/script/tinydns_query2dlf.in	Wed Dec 31 19:00:00 1969
+++ ../lire-1.2.1-devel/dns/script/tinydns_query2dlf.in	Sun Mar  9 18:34:43 2003
@@ -0,0 +1,194 @@
+#! @PATHTOPERL@ -w
+
+# vim:syntax=perl
+
+use strict;
+use lib '@LR_PERL5LIBDIR@';
+use Lire::DlfSchema;
+use Lire::Time;
+use Lire::Program qw( :msg :dlf );
+
+init_dlf_converter( "dns" );
+
+my $schema  = eval { Lire::DlfSchema::load_schema( "dns" ) };
+lr_err( "failed to load dns schema: $@" ) if $@;
+my $dlf_maker	= 
+  $schema->make_hashref2asciidlf_func( qw/time requesting_host request 
+					  type resolver/ );
+
+# If the user is running tinydns then they should (had to)
+# have installed the deamontools and ucspi packages.  Those
+# packages provide the tai64nlocal binary that is used to 
+# convert djb's timestamps to human readable form.  
+my $tai64nlocal = '/usr/local/bin/tai64nlocal';
+
+# tinydns defines these types only
+my %dns_type = 
+  ( 
+   1 => "a",
+   2 => "ns",
+   5 => "cname",
+   6 => "soa",
+   12 => "ptr",
+   13 => "hinfo",
+   15 => "mx",
+   16 => "txt",
+   17 => "rp",
+   24 => "sig",
+   25 => "key",
+   28 => "aaaa",
+   38 => "a6",
+   252 => "axfr",
+   255 => "any",
+  );
+
+sub parse_query {
+    my ( $line ) = @_;
+
+    my %dlf = ();
+
+    my ( $tai64, $requestee, $auth, $type, $requested );
+    # @400000000000000000000000 00000000:0000:0000 + 001c slashdot.org
+    ( $tai64,
+      $requestee,
+      $auth,
+      $type,
+      $requested,
+    ) = $line =~ m!^
+                  (@[0-9a-f]+)\s
+                  ([0-9a-f:]+)\s
+                  (\+|\-)\s
+                  ([0-9a-f]{4})\s
+                  (.*)\s*?
+		  $!x
+		    or die "tinydns lexer failed\n";
+
+    my $tai = `echo $tai64 | $tai64nlocal`;
+
+    my ( $year, $month, $day, $time );
+    ( $year,
+      $month,
+      $day,
+      $time,
+    ) = $tai =~ m!^
+                 (\d{4})\-
+                 (\d{2})\-
+                 (\d{2})\s
+                 ([\d+:]+)
+                 \.\d+
+                 $!x
+		   or die "tai64nlocal lexer failed\n";
+
+    $dlf{time} = date2cal( $year, $month, $day, $time );
+    $dlf{resolver} = $auth eq '+' ? 'nonrec' : 'recurs';
+
+    die "dns type \'$type\' is not defined by tinydns\n"
+      unless defined $dns_type{hex($type)};
+    $dlf{type} = $dns_type{hex($type)};
+
+    my $ip = (split(/:/, $requestee))[0];
+    $dlf{requesting_host} = join(".", unpack("C*", pack("H8", $ip)));
+    $dlf{request} = $requested;
+    $dlf_maker->( \%dlf );
+}
+
+unless ( -f $tai64nlocal) {
+  lr_err( qq{tai64nlocal binary does not exist on host system, skipping} );
+}
+
+my $lines	= 0;
+my $dlflines	= 0;
+my $errorlines	= 0;
+while (<>) {
+    chomp;
+    $lines++;
+
+    next unless ($_ =~ m!^@!); # every valid line begins with an @ symbol for the TAI
+
+    eval {
+	my $dlf = parse_query( $_ );
+	print join( " ", @$dlf), "\n";
+	$dlflines++;
+    };
+    if ( $@ ) {
+	lr_warn( $@ );
+	lr_notice( qq{cannot convert line $. "$_" to dns dlf, skipping} );
+	$errorlines++;
+    }
+}
+
+end_dlf_converter( $lines, $dlflines, $errorlines );
+
+__END__
+
+=pod 
+
+=head1 NAME
+
+tinydns_query2dlf - convert tinydns logs to dlf
+
+=head1 SYNOPSIS
+
+B<tinydns_query2dlf>
+
+=head1 DESCRIPTION
+
+This script converts each line in a tinydns query log to a dns dlf record.
+
+BIND generates these logs when something like
+
+Log files are generated automatically by tinydns.  A typical log file
+would look like this:
+
+ at 400000003e67eeb414752ccc 7f000001:eb9f:80bd + 0001 www.slashdot.org
+
+=head1 EXAMPLES
+
+To process a log as produced by tinydns:
+
+ $ tinydns_query2dlf < dns-query
+
+tinydns_query2dlf will be rarely used on its own, but is more likely
+called by lr_log2report:
+
+ $ cat /var/log/dns-query | lr_run lr_log2report tinydns_query
+
+=head1 SEE ALSO
+
+http://www.logreport.org/doc/gen/dns/bind8.php
+
+bind8_query2dlf(1)
+bind9_query2dlf(1)
+
+=head1 VERSION
+
+$Id: bind8_query2dlf.in,v 1.2 2002/09/01 13:14:13 flacoste Exp $
+
+=head1 COPYRIGHT
+
+Copyright (C) 2000-2001 Stichting LogReport Foundation LogReport at LogReport.org
+
+This program is free software; you can redistribute it and/or modify
+it under the terms of the GNU General Public License as published by
+the Free Software Foundation; either version 2 of the License, or
+(at your option) any later version.
+
+This program is distributed in the hope that it will be useful,
+but WITHOUT ANY WARRANTY; without even the implied warranty of
+MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+GNU General Public License for more details.
+
+You should have received a copy of the GNU General Public License
+along with this program (see COPYING); if not, check with
+http://www.gnu.org/copyleft/gpl.html or write to the Free Software 
+Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA  02111, USA.
+
+=head1 AUTHOR
+
+Christopher Boumenot
+
+=cut
+
+# Local Variables:
+# mode: cperl
+# End:

More information about the Development mailing list