Last active
November 16, 2021 20:45
-
-
Save RoganDawes/0e04da948b5c8acaf304771265c3337a to your computer and use it in GitHub Desktop.
Script to ingest operwrt syslogs, build up a map of DNS name lookups to the resulting IP address, and then replace the IP address in subsequent log entries with the corresponding name that was queried. This currently focuses specifically on log entries that match the expression "REJECT wan out", but could certainly be adjusted to work with other…
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/usr/bin/perl -w | |
| # Script to process router log file to list dnsmasq DNS lookup entries and | |
| # Kernel DROP entries to correlate which DNS names are being dropped by the | |
| # firewall. | |
| # | |
| # dnsmasq correlates multiple log entries using a random key, and these can | |
| # be interleaved with other log entries. | |
| # | |
| # The idea is to sort the entries according to the key, but in order of time | |
| # | |
| # Run it like: tail -f remote-192.168.201.1.log | grep 192.168.201.162 | ./dnsmasq_log.pl | |
| $order = []; | |
| $lines = {}; | |
| $index = {}; | |
| $ip2name = {}; | |
| $query = {}; | |
| while (<>) { | |
| $_ =~ /.*dnsmasq.*(query|reply|cached|ipset).*/ && do { | |
| chomp; | |
| @words = split(/ +/); | |
| # print join(",", @words); | |
| $ref = $words[5]; | |
| if (! defined $lines{$ref}) { | |
| push @$order, $ref; | |
| $lines{$ref} = []; | |
| $index{$ref} = $#{$order}; | |
| } | |
| push @{$lines{$ref}}, $_; | |
| if ($_ =~ /(query\[A)/) { | |
| $query{$ref} = $words[8]; | |
| } | |
| if ($_ =~ /(reply)/ && $_ !~ /<CNAME>/) { | |
| $ip = $words[10]; | |
| $ip2name{$ip} = $query{$ref}; | |
| # printf(STDERR $ip . " is " . $ip2name{$ip} . "\n"); | |
| } | |
| }; | |
| $_ =~ /.*REJECT wan out.*/ && do { | |
| chomp; | |
| @words = split(/ +/); | |
| @dst = split("=", $words[13]); | |
| $ip = $dst[1]; | |
| $words[13] = "DST=" . (defined $ip2name{$ip} ? $ip2name{$ip} : $ip); | |
| printf(STDOUT join(" ", @words) . "\n"); | |
| }; | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment