lrhazi/dns_logger.tcl

## dns_logger.tcl
when CLIENT_ACCEPTED {
    set MAX_ELEMENTS 5
    set hsl [HSL::open -proto UDP -pool splunk_pool]
    set vip [IP::local_addr]
    set client_ip [IP::remote_addr]
}
when DNS_REQUEST {
    set q_size [DNS::len]
    set q_start [clock clicks]
}
when DNS_RESPONSE {
    set q_end [clock clicks]
    set logline ""
    set answer ""
    set a_size [DNS::len]
    set rrs [DNS::answer]
    set num_answers [llength $rrs]
    for {set i 1} {$i<=[llength $rrs]} {incr i} {
        set rr [lindex $rrs [expr {$i-1}]]
        append answer "a_name_" $i "=" [DNS::name $rr] " "
        append answer "a_ttl_" $i "=" [DNS::ttl $rr] " "
        append answer "a_class_" $i "=" [DNS::class $rr] " "
        append answer "a_type_" $i "=" [DNS::type $rr] " "
        set rdata [string trim [DNS::rdata $rr] {"} ]
        append answer "a_data_" $i "=" "\"" $rdata "\"" " "
        if { $i > $MAX_ELEMENTS } break
    }
    set rrs [DNS::additional]
    set num_answers_add [llength $rrs]

    set rrs [DNS::authority]
    set num_answers_auth [llength $rrs]

    set origin [DNS::origin]
    if { $origin == "SERVER" } {
        set origin [LB::server addr]
    }

    if { [catch { set dnssec [DNS::edns0 do] } ] } {
        set dnssec 0
    } else {
        set dnssec 1
    }

    #set dropped [table lookup -subtable "dns_drop" $client_ip]
    set dropped 0

    append logline "<190> v=$vip c=$client_ip" " " "o=$origin" " " "d=$dnssec" " " "z=$dropped" " "
    append logline "n=[DNS::question name] t=[DNS::question type] k=[DNS::question class]" " "
    append logline "n1=$num_answers n2=$num_answers_add n3=$num_answers_auth" " "
    append logline "as=$a_size" " "
    if { [info exists q_size] } {
        append logline "qs=$q_size" " "
    }
    if { [info exists q_start] } {
        set elapsed [expr ($q_end - $q_start)/1000]
        append logline "r=$elapsed"
    }
    append logline "\n"
    HSL::send $hsl $logline
    #log local0.debug $logline
}
	when CLIENT_ACCEPTED {
	set MAX_ELEMENTS 5
	set hsl [HSL::open -proto UDP -pool splunk_pool]
	set vip [IP::local_addr]
	set client_ip [IP::remote_addr]
	}
	when DNS_REQUEST {
	set q_size [DNS::len]
	set q_start [clock clicks]
	}
	when DNS_RESPONSE {
	set q_end [clock clicks]
	set logline ""
	set answer ""
	set a_size [DNS::len]
	set rrs [DNS::answer]
	set num_answers [llength $rrs]
	for {set i 1} {$i<=[llength $rrs]} {incr i} {
	set rr [lindex $rrs [expr {$i-1}]]
	append answer "a_name_" $i "=" [DNS::name $rr] " "
	append answer "a_ttl_" $i "=" [DNS::ttl $rr] " "
	append answer "a_class_" $i "=" [DNS::class $rr] " "
	append answer "a_type_" $i "=" [DNS::type $rr] " "
	set rdata [string trim [DNS::rdata $rr] {"} ]
	append answer "a_data_" $i "=" "\"" $rdata "\"" " "
	if { $i > $MAX_ELEMENTS } break
	}
	set rrs [DNS::additional]
	set num_answers_add [llength $rrs]

	set rrs [DNS::authority]
	set num_answers_auth [llength $rrs]

	set origin [DNS::origin]
	if { $origin == "SERVER" } {
	set origin [LB::server addr]
	}

	if { [catch { set dnssec [DNS::edns0 do] } ] } {
	set dnssec 0
	} else {
	set dnssec 1
	}

	#set dropped [table lookup -subtable "dns_drop" $client_ip]
	set dropped 0

	append logline "<190> v=$vip c=$client_ip" " " "o=$origin" " " "d=$dnssec" " " "z=$dropped" " "
	append logline "n=[DNS::question name] t=[DNS::question type] k=[DNS::question class]" " "
	append logline "n1=$num_answers n2=$num_answers_add n3=$num_answers_auth" " "
	append logline "as=$a_size" " "
	if { [info exists q_size] } {
	append logline "qs=$q_size" " "
	}
	if { [info exists q_start] } {
	set elapsed [expr ($q_end - $q_start)/1000]
	append logline "r=$elapsed"
	}
	append logline "\n"
	HSL::send $hsl $logline
	#log local0.debug $logline
	}