This is a little page, just to get you going with Naquela...
There are two sections:
- How to set up logging in named
- Command line options in naquela
Section 1. Setting up logging
In your 'named.conf' file, put the following:
logging{
            channel queries {
                         file
"/var/log/named_queries.log";
                         print-time
yes;
                         print-category
yes;
            };
            category queries {
                         queries;
            };
};
This sets up a "channel" (i.e. a place to log to), and then puts
the logging category "queries" into it.
Section 2. How to use Naquela
Naquela has many command line options, and more are being added all the time.
Here I shall list the options, along with sample output from each one.
Before you start using naquela, you must configure three options within the script.
- The first of these is the location of your logfile.
 
- The second is a list of networks you find interesting (e.g. if you run a caching
nameserver
for your organisation, you may want to list your organistion's networks here so you can see
how much traffic is coming from each department).
 
- The third option you'll probably want to leave as the default of 127.0.0.1. You will see
options later on that let you exclude the localhost (for instance, if you run a mail server
on the same machine, it will give you a lot of hits that you may wish to exclude).
Here are the command-line flags, with examples of output where appropriate...
-h or --help to print out a summary of commands.
Left to its own devices (i.e. with no options set), naquela will print out
results like this:
$ naquela
----------------------
Results for each date:
----------------------
20/Jun/2002 has 8971 entries
21/Jun/2002 has 10275 entries
22/Jun/2002 has 8754 entries
...
$
You can restrict the dates on which naquela reports with these commands:
-ds (Date Start) followed (WITHOUT WHITESPACE) by ddmmyyyy
 for a date to start the stats from (you can also use -1 for yesterday
 or 0 for today, or indeed just leave blank for "since the log started").
          
-df (Date Finish) in the same way for the start date, except that
 you should leave blank to mean "up to and including today".
 
For instance,
 
$ naquela -ds01072002 -df-1
will give you results from 1st July 2002 until (and including) yesterday.
There are many things to add/exclude to/from the report:
          
-ht (Hourly Total) to turn on the report which shows which times
 of day are busiest (it sums the requests for each hour over the date range).
          
-hd (Hours (for each) Date) to turn on the report which gives the
 hourly usage after each date (can be quite a long list!).
          
-nd if you don't want the "dd/mm/yyyy has 5253 entries" line shown. Useful
 if you're doing the analysis over a long period of time.
So for instance,
$ naquela -nd -ht
--------------
Hourly Totals:
--------------
00:00 - 01:00: 2733 queries        12:00 - 13:00: 11633 queries
01:00 - 02:00: 2350 queries        13:00 - 14:00: 10725 queries
02:00 - 03:00: 2562 queries        14:00 - 15:00: 10614 queries
03:00 - 04:00: 5242 queries        15:00 - 16:00: 11117 queries
04:00 - 05:00: 1390 queries        16:00 - 17:00: 11401 queries
05:00 - 06:00: 4328 queries        17:00 - 18:00: 9641 queries
06:00 - 07:00: 3966 queries        18:00 - 19:00: 6790 queries
07:00 - 08:00: 3805 queries        19:00 - 20:00: 5866 queries
08:00 - 09:00: 4237 queries        20:00 - 21:00: 5658 queries
09:00 - 10:00: 6497 queries        21:00 - 22:00: 5744 queries
10:00 - 11:00: 10536 queries       22:00 - 23:00: 3254 queries
11:00 - 12:00: 9227 queries        23:00 - 24:00: 3688 queries
 
$ 
-nl (Not Local) to exlude stats from localhost (or whatever is defined as such in the "third option"). Cunningly, this
 WON'T affect the "Top 5 queries from 127.0.0.1" report, if -sd is specified and 127.0.0.1 is in your "list of interesting domains" (the "second option")...
 
          
-sr (Split Results) to show a breakdown of results in terms of
who requested them: define the IP networks you want in the second option, as mentioned above.
So for example,
$ naquela -nd -sr
------------------------------------
Number of Queries from Each Network:
------------------------------------
127.0.0.1          80242 queries
192.168.128.*   33448 queries
192.168.122.*   21876 queries
Others:              39329 queries
$
 
          
-dr (Domain Report) to turn on the "Top 10 domain" report
 
          
-sd (Split Domain (report)) to get a "Top 5 domain" report
 for each of the networks defined in the second option.
          
-qt (Query Type) to get the different queries (A, MX, PTR, etc, etc).
          
-sa (Show Average) to show the first and last log times, and
 hence the average queries/hour served.
So for instance (if it's a little after 6:30pm on 7th July 2002),
$ naquela  -ds0 -sa
----------------------
Results for each date:
----------------------
07/Jul/2002 has 3166 entries
----------------
Average queries:
----------------
First Log entry:        07/Jul/2002, 00:00:37
Final Log entry:        07/Jul/2002, 18:30:01
Average load:           171 queries/hour
$
                
          
-m/your_regex_here/ to ignore lines from the log that
 match your regex (case insensitive). It's likely you'll have to put  
 single quotes round this option to stop the shell trying to do things   
 with meaningful characters such as * or |.
 
          
-bm (Batch Mode) if you want to put a date before each output, and
 turn off that final "Run Finished" message. This is so that if you want
 to run the analyser over a specified set of dates (say a week) with the
 aid of a script, e.g.
 
      
    
#!/bin/sh
 i=24
 while [ $i -le 30 ]
 do
      ./stats.pl -nd -ds${i}062002 -df${i}062002 -qt -bm >> statsfile.txt
           i=`expr $i + 1`
 done
 you can collate all the query types for each day of the week in a single file,
 with the date before each list, and no annoying "Run finished" after each list.
 You could also, say, have -ds01${i}2002 -df31${i}2002 to give a total for
 each month (say 01 <= $i <=12 ). Don't worry that some months have less than
 31 days in them. However, worry that single-figure months *need* that leading "0".
 
-pc (Print Corrupt) to print out lines that the program doesn't  
 like: only really for debugging, but can also be useful to spot attacks.