LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Newbie (http://www.linuxquestions.org/questions/linux-newbie-8/)
-   -   Please help separate IP addresses in BIND9 query log (http://www.linuxquestions.org/questions/linux-newbie-8/please-help-separate-ip-addresses-in-bind9-query-log-4175417730/)

Balvinder87 07-20-2012 01:49 AM

Please help separate IP addresses in BIND9 query log
 
I Have Installed BIND9 on my system.My log file (named_query) has the logs of each of the clients (192.168.2.1...10) in my network
But I want to see the logs of each client separately in files like /var/log/named_querylog.x.x.x.x where x.x.x.x is the ip address of the each client
Can any one help me write a startup Script or some other way to do this?

pan64 07-20-2012 01:21 PM

have you tried grep, awk, perl or something?

Balvinder87 07-23-2012 02:07 AM

i am happy with your solution
please help me with a sample rsyslog.conf file

pan64 07-23-2012 05:19 AM

I have no solution at all.
I can only to suggest you something, but actually I have a simple idea, you can grep out lines for every host:
grep 192.168.2.1 logfile > log.192.168.2.1

pixellany 07-23-2012 05:43 AM

Regex to find old-style (dotted quad) IPs
"([0-9]{1,3}\.){3}[0-9]{1,3}"

This uses extended regex rules, so use with egrep, sed -r, etc.

Balvinder87 07-25-2012 03:59 AM

@all
thanks for the solution

Reuti 07-25-2012 11:10 AM

With syslog-ng it can be done to create a file per detected entry in the logged messages. In syslog-ng.conf you can define a custom parser:
Code:

parser foobar {
            db_parser(file("/root/patterns/rules.xml")); };

options { create_dirs(yes); dir_perm(0755); };

destination baz { file("/var/log/collection/$FOO_ADDRESS.log"); };
log { source(src); parser(foobar); destination(baz); };

with an XML entry like:
Code:

<patterndb version='3' pub_date='2012-07-25'>
  <ruleset name='get_adress' id='5010'>
    <rules>
      <rule id='5010001' class='system' provider='reuti'>
        <patterns>
          <pattern>from: @IPv4:FOO_ADDRESS@</pattern>
        </patterns>
      </rule>
    </rules>
  </ruleset>
</patterndb>

and use $FOO_ADDRESS for the file destination entry like outlined above.

Maybe this has an equivalent in rsyslogd.

--

The above will scan all messages (it could be limited to named though) for entries: “from: 12.34.56.78”


All times are GMT -5. The time now is 05:36 AM.