WangTongze WangTongze - 6 months ago 18
Linux Question

Analyze log file of dnsmasq

I current facing a problem. When I open the dnsmasq log, it looks like this:

Jun 10 17:50:00 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:00 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:21 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:21 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:31 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:31 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:37 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:37 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:40 dnsmasq[21796]: query[A] zyx.qq.com from 115.34.22.160
Jun 10 17:50:40 dnsmasq[21796]: forwarded zyx.qq.com to 114.114.114.114
Jun 10 17:50:40 dnsmasq[21796]: forwarded zyx.qq.com to 223.5.5.5
Jun 10 17:50:40 dnsmasq[21796]: reply zyx.qq.com is 123.151.43.51
Jun 10 17:50:40 dnsmasq[21796]: reply zyx.qq.com is 183.60.62.158
Jun 10 17:50:40 dnsmasq[21796]: reply zyx.qq.com is 113.108.1.90
Jun 10 17:50:42 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:42 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:52 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:52 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:58 dnsmasq[21796]: query[A] ic.wps.cn from 115.34.22.160
AND ETC.


It's very difficult for us to analyze it. Anybody have a idea to only show the queried domain which should be like this?

isatap.lan
zyx.qq.com
ic.wps.cn
AND ETC.


However I tried this:
http://www.tannerwilliamson.com/analyzing-dnsmasq-log-with-awk/1610/

and its output i like this:

root@VM-208-178-ubuntu:/home# awk -f /home/dnsmasq.awk /var/log/dnsmasq.log | less
name | nb | forwarded | answered from cache
irs01.net | 1 | 1 | 0
927662-0-2081296634-261190004.ns.124-14-16-250-ns.dns-spider.ffdns.net | 1 | 1 | 0
blog.sina.com.cn | 4 | 4 | 1
927655-0-2081296634-261190004.ns.124-14-16-250-ns.dns-spider.myxns.cn | 1 | 1 | 0
www.baidu.com | 2 | 2 | 0
* careers.stackoverflow.com | 10 | 13 | 0
blender.stackexchange.com | 2 | 2 | 0
974449-0-2081296634-261190004.ns.124-14-16-250-ns.dns-spider.myxns.cn | 1 | 1 | 0
img.iknow.bdimg.com | 2 | 1 | 1
* smarterer.com | 2 | 3 | 0
a.disquscdn.com | 1 | 1 | 0
927648-0-2081296634-261190004.ns.124-14-16-250-ns.dns-spider.myxns.cn | 1 | 1 | 0
physics.stackexchange.com | 6 | 5 | 4
* area51.stackexchange.com | 2 | 3 | 0
iknow02.bosstatic.bdimg.com | 2 | 1 | 1
passport.baidu.com | 1 | 1 | 0
webapps.stackexchange.com | 5 | 4 | 4


It's little bit different from what I want. Anybody could help me?
Thanks for the help!

Answer

A simple awk script could be sufficient for this, provided the logfile you showed remains intact.

awk '!seen[$6]++ {print $6}' file

will produce the output as

ic.wps.cn
isatap.lan
zyx.qq.com

The logic is simple, it parses each entry in column six and adds it into the array seen and prints the element only if it is not seen before.

P.S. If the order of the columns in the log file are subject to change in the future the awk command may not work, as it purely relies on the index of the column to get the results.