#! /usr/bin/perl -w

# vim:syntax=perl

use strict;
use lib '/usr/share/perl5';
use Lire::DlfSchema;
use Lire::Time;
use Lire::Program qw( :msg :dlf );

init_dlf_converter( "dns" );

my $schema  = eval { Lire::DlfSchema::load_schema( "dns" ) };
lr_err( "failed to load dns schema: $@" ) if $@;
my $dlf_maker	= 
  $schema->make_hashref2asciidlf_func( qw/time requesting_host request 
					  type resolver/ );


sub parse_query {
    my ( $line ) = @_;

    my %dlf = ();

    my ( $year, $month, $day, $time, $resolver );
    # 10-Apr-2000 00:01:20.307 XX+/1.2.214.6/1.8.1.in-addr.arpa/SOA/IN
    # 10-Apr-2000 00:01:20.307 <something> XX+/1.2.214.6/1.8.1.in-addr.arpa/SOA/IN
    ( $day,
      $month,
      $year,
      $time,
      $resolver,
      $dlf{requesting_host},
      $dlf{request},
      $dlf{type},
    ) = $line =~ m!^
		  (\d+)-(\w+)-(\d+)\s([\d.:]+)\s.*?XX([ +])
		  /([\d.]+)
		  /(.*?)
		  /(\w+)
		  (?:/IN)?
		  $!x
		    or die "bind8 lexer failed\n";

    $dlf{resolver} = $resolver eq '+' ? 'recurs' : 'nonrec';
    $dlf{time} = date2cal( $year, $month, $day, $time );
    $dlf_maker->( \%dlf );
}

my $lines	= 0;
my $dlflines	= 0;
my $errorlines	= 0;
while (<>) {
    lire_chomp;
    $lines++;

    next unless ($_ =~ m! XX[ +]/!); # XX is hardcoded in bind8

    eval {
	my $dlf = parse_query( $_ );
	print join( " ", @$dlf), "\n";
	$dlflines++;
    };
    if ( $@ ) {
	lr_warn( $@ );
	lr_notice( qq{cannot convert line $. "$_" to dns dlf, skipping} );
	$errorlines++;
    }
}

end_dlf_converter( $lines, $dlflines, $errorlines );

__END__

=pod 

=head1 NAME

bind8_query2dlf - convert BIND8 querylogs to dlf

=head1 SYNOPSIS

B<bind8_query2dlf>

=head1 DESCRIPTION

This script converts each line in a bind8 querylog to a dns dlf record.

BIND generates these logs when something like

 logging {
     channel query_logging {
         file "/var/log/named_querylog"
         versions 3 size 100M;
         print-time yes;                 // timestamp log entries              
      };

      category queries {
          query_logging;
      };
 };

is in bind's named.conf.  This will save up to three logfiles of maximum 
100 megabytes in the directory /var/log. 

These logfiles look like:

 10-Apr-2000 00:01:20.307 XX /10.2.3.4/1.2.3.in-addr.arpa/SOA/IN
 10-Apr-2000 00:01:20.308 XX+/10.4.3.2/host.foo.com/A/IN

=head1 EXAMPLES

To process a log as produced by bind8:

 $ bind8_query2dlf < dns-query

bind8_query2dlf will be rarely used on its own, but is more likely
called by lr_log2report:

 $ lr_log2report bind8_query < /var/log/dns-query

=head1 SEE ALSO

http://www.logreport.org/doc/gen/dns/bind8.php

bind9_query2dlf(1)

=head1 VERSION

$Id: bind8_query2dlf.in,v 1.6 2006/07/23 13:16:33 vanbaal Exp $

=head1 COPYRIGHT

Copyright (C) 2000-2001 Stichting LogReport Foundation LogReport@LogReport.org

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 2 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program (see COPYING); if not, check with
http://www.gnu.org/copyleft/gpl.html. 

=head1 AUTHOR

Edwin Groothuis, now maintained by Joost van Baal

=cut

# Local Variables:
# mode: cperl
# End:
