dnsmasq日志文件分析

Question

我现在正面临一个问题。当我打开dnsmasq日志时，如下所示：

Jun 10 17:50:00 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:00 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:21 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:21 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:31 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:31 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:37 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:37 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:40 dnsmasq[21796]: query[A] zyx.qq.com from 115.34.22.160
Jun 10 17:50:40 dnsmasq[21796]: forwarded zyx.qq.com to 114.114.114.114
Jun 10 17:50:40 dnsmasq[21796]: forwarded zyx.qq.com to 223.5.5.5
Jun 10 17:50:40 dnsmasq[21796]: reply zyx.qq.com is 123.151.43.51
Jun 10 17:50:40 dnsmasq[21796]: reply zyx.qq.com is 183.60.62.158
Jun 10 17:50:40 dnsmasq[21796]: reply zyx.qq.com is 113.108.1.90
Jun 10 17:50:42 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:42 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:52 dnsmasq[21796]: query[A] isatap.lan from 115.34.22.160
Jun 10 17:50:52 dnsmasq[21796]: cached isatap.lan is NXDOMAIN-IPv4
Jun 10 17:50:58 dnsmasq[21796]: query[A] ic.wps.cn from 115.34.22.160
AND ETC.

我们很难分析它。谁有一个想法，只显示被查询的领域，哪应该是这样？

isatap.lan
zyx.qq.com
ic.wps.cn
AND ETC.

不过，我尝试过这样做：http://www.tannerwilliamson.com/analyzing-dnsmasq-log-with-awk/1610/

它的输出我喜欢这样：

root@VM-208-178-ubuntu:/home# awk -f /home/dnsmasq.awk /var/log/dnsmasq.log | less
                                     name |      nb    |  forwarded |  answered from cache
                                irs01.net |         1  |         1  |         0
 927662-0-2081296634-261190004.ns.124-14-16-250-ns.dns-spider.ffdns.net |         1  |         1  |         0
                         blog.sina.com.cn |         4  |         4  |         1
 927655-0-2081296634-261190004.ns.124-14-16-250-ns.dns-spider.myxns.cn |         1  |         1  |         0
                            www.baidu.com |         2  |         2  |         0
*               careers.stackoverflow.com |        10  |        13  |         0
                blender.stackexchange.com |         2  |         2  |         0
 974449-0-2081296634-261190004.ns.124-14-16-250-ns.dns-spider.myxns.cn |         1  |         1  |         0
                      img.iknow.bdimg.com |         2  |         1  |         1
*                           smarterer.com |         2  |         3  |         0
                          a.disquscdn.com |         1  |         1  |         0
 927648-0-2081296634-261190004.ns.124-14-16-250-ns.dns-spider.myxns.cn |         1  |         1  |         0
                physics.stackexchange.com |         6  |         5  |         4
*                area51.stackexchange.com |         2  |         3  |         0
                  iknow02.bosstatic.bdimg.com |         2  |         1  |         1
                       passport.baidu.com |         1  |         1  |         0
                    webapps.stackexchange.com |         5  |         4  |         4

这和我想要的有点不同。有人能帮我吗？谢谢你的帮助！

Answer 1

只要您显示的日志文件保持完整，一个简单的awk脚本就足够了。

awk '!seen[$6]++ {print $6}' file

将产生的输出

ic.wps.cn
isatap.lan
zyx.qq.com

逻辑很简单，它解析第六列中的每个条目，并将其添加到数组seen中，并且只有在以前没有看到元素时才打印它。

如果日志文件中的列的顺序将来会发生变化，那么awk命令可能无法工作，因为它完全依赖于列的索引来获得结果。