converting ip numbers to domain names in log files
JD.Carlson at UCHSC.edu
JD.Carlson at UCHSC.edu
Wed Dec 29 18:38:40 UTC 1999
Actually, I was hoping to avoid nslookup.
Getting IP numbers out of a log file is as easy as
filtering the file through something like:
cut -d" " -f5 | sort | uniq
if the logfile is delimited by spaces and the IP numbers are in
the 5th field.
I currently use a perl script:
#!/usr/bin/perl
# -----------------------------------------------------------------
# Resolve IP numbers into names within a file, substituting IP NAME for the
IP NUMBER.
# Using perl gethostbyaddr
jdc---------------------------------------------
use Socket;
while (<STDIN>) {
chop($_); # Remove NL from input.
@log_word = split(/ /, $_); # Split all words on input line
(using SPACE delim)
foreach (@log_word) { # Print all words from input line...
if ( /255\.255\.\d*\.\d/ ) { # match a broadcast number
print "$_ ";
} elsif ( /\d*\.\d*\.\d*\.0/ ) { # match a network number
print "$_ ";
} elsif ( /\d*\.\d*\.\d*\.255/ ) { # match a network broadcast
print "$_ ";
} elsif ( /\d*\.\d*\.\d*\.\d/ ) { # match an IP number
$name="N/A";
# $_ now is an IP Number we will try to look up
#print "\nlooking up: $_ \n";
$name = gethostbyaddr(inet_aton($_), AF_INET)
or print "Can't_resolve:";
print "$name($_) ";
# $name is the hostname ("www.perl.com")
}
else {
print "$_ "; # Print the other words on the line
}
}
print "\n"; # Print the NL after each line
}
But it lacks a few things, like caching lookups, returning domain
info when the address lacks a PTR record, and such. It works on any
thing, including router config files (where it got started).
I just learned of a parsing logfile perl script for ipmon at
http://www.antibozo.net/ogata/webtools/plog.txt
that does some caching, maybe I'll look at it.
Thanks, J.D.
>> On Fri, Dec 24, 1999 at 10:15:19PM +0000, J.D. Carlson wrote:
>> I'd like to know if there is a program I can filter a log file through
>> that will resolve the ip numbers into the respective names.
>>J.D. Carlson
>You can pass the bare IP addresses to 'nslookup', and it will return you
>the names. For instance, if I give
>204.152.184.101
>204.152.184.27
>as input to 'nslookup', I get [something like]:
[...]
>Transforming the log files into lists of IP addresses is logfile-format-
>dependent, and is left as an exercise for the reader. ;-)
>--
>Joe Yao jsdy at cospo.osis.gov - Joseph S. D.
Yao
>COSPO/OSIS Computer Support EMT-B
>-----------------------------------------------------------------------
>This message is not an official statement of COSPO policies.
More information about the bind-users
mailing list