[ Top | Up | Prev | Next | Map | Index ]

Analog 4.12: DNS lookups

Sometimes a logfile contains numerical IP addresses - like - for the computers that have visited you, instead of names like lion.statslab.cam.ac.uk. This section describes how you can get analog to do so-called DNS lookups to translate these numbers into names. This relies on you having a suitably configured system: DNS lookups are not possible on some systems.

Unfortunately DNS lookups are typically very slow, because your computer has to ask across the network to find out the names of the hosts. For this reason, analog saves the addresses it has looked up in a file, so that you don't have to look them up again next time. (Even so, you may find the DNS lookups too slow to be usable.) The file is specified by a command like

DNSFILE dnsfile.txt
You will still need to use one of the commands in the next paragraph in order to actually use the file.

There are four possible levels of DNS activity. If you specify DNS NONE, no numerical addresses will be resolved. If you specify DNS READ, then analog will read the DNS file for old lookups, but no new lookups will take place. This mode is suitable if you are running analog while not connected to the internet. The third level is DNS WRITE. This reads the old file, looks up new addresses, and adds them to the file. (The first time you use DNS WRITE, you will get a missing-file warning as it tries to read the old file, but it will exist the next time.) The final level is DNS LOOKUP. This reads the old file and looks up new addresses, but doesn't add the new addresses to the file, so that they will not be remembered for next time. This is not normally a level that the user wants to specify, but analog will switch to this the behaviour if DNS WRITE fails for some reason.

If you are using a HOSTEXCLUDE command, you need to exclude the numerical IP address if it can't be resolved, or the name if it can. In other words, exclude whatever the host is known as in the report.

If two copies of analog were allowed to write to the DNS file at the same time, the file could become corrupted. So when analog is running in DNS WRITE mode, it creates a lock file which tells other copies of analog to back off to DNS LOOKUP. You can change the location of that file with the command
Of course you should make sure that all copies of analog use the same lock file, at least if they have the same DNS file! If analog crashes, it may not clear up the lock file, so in that case you may have to delete it yourself. (Disclaimer: on some systems, race conditions may occasionally thwart this mechanism, but this is very unlikely.)

Analog never deletes anything from the DNS file: this means that the DNS file will grow, and can become quite large. You should delete the top of it every so often.

There are two parameters which say how long to trust old lookups for. If you set

for example, then successful lookups will be checked again after 672 hours (4 weeks). You can also set the DNSBADHOURS similarly, to check failed lookups again after a certain time.

Finally, there is a debugging command, DEBUG +D to show all the DNS lookups that analog is making.

There are lots of tools to help with the DNS lookups on the helper applications page.
Normally you need never write a DNS file: you should rely on analog to do it for you. But in case you need to know, the format of the file is
timestamp IP_address name
where the timestamp is the number of minutes since the beginning of 1970, GMT (i.e., "Unix time" divided by 60), and the name is just * if the address couldn't be resolved.
Go to the analog home page.

Stephen Turner
05 October 2000

Need help with analog? Use the analog-help mailing list.

[ Top | Up | Prev | Next | Map | Index ]