Bind Queries log file format
olgamirth at gmail.com
Wed Jan 25 14:11:41 UTC 2017
On Wed, Jan 25, 2017 at 8:51 AM, Mukund Sivaraman <muks at isc.org> wrote:
> Rememeber that not only users, but even us developers have to look at
> your logs when you send them to us.
> When things are fine, the sun is shining, hay is growing.. all's fine,
> and the fields in the log format that a user wants are sufficient.
> When one out of numerous deployments of BIND reports a crash, and we're
> not able to reproduce it, all we have is the effects that the reporter
> can provide us. named is asynchronous software with numerous concurrent
> wheels chugging, with some shared datastructures and non-shared request
> specific structures. When things go bad, they show up as bad sometimes
> a long time after the fact. If we are not able to reproduce it, looking
> at logs and attempting to reconstruct what happened is like looking for
> a needle in a haystack. In such cases, we find these bits of extra
> information useful. Users may not like an extra field, but please bear
> with us because it is helpful when things go bad.
> This specific client pointer was useful in debugging such an issue and
> that's why it was permanently added to the log.
Yea, I can respect that. However, I'm not confident that dropping it right
in the middle of the log entry was the best place for it. I have a number
of processes that monitor the query logs (it seems like everybody wants to
know where everybody else is going), and these logs can get BIG. To
ameliorate the amount of data that needs to be parsed, I throw out the
queries from systems that are not relevant. With that single entry,
everything became relevant according to my regex. Making this addition to
the beginning or the end of the log entry would have provided the
developers the necessary data, and preserved my regex.
But, hey, at least now I know.
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the bind-users