This is a little page, just to get you going with Naquela...

There are two sections:
  1. How to set up logging in named
  2. Command line options in naquela

Section 1. Setting up logging

In your 'named.conf' file, put the following:

      channel queries {
           file "/var/log/named_queries.log";
           print-time yes;
           print-category yes;
      category queries {

This sets up a "channel" (i.e. a place to log to), and then puts the logging category "queries" into it.

Section 2. How to use Naquela

Naquela has many command line options, and more are being added all the time. Here I shall list the options, along with sample output from each one.

Before you start using naquela, you must configure three options within the script.

Here are the command-line flags, with examples of output where appropriate...

-h or --help to print out a summary of commands.

Left to its own devices (i.e. with no options set), naquela will print out results like this:

$ naquela

Results for each date:

20/Jun/2002 has 8971 entries
21/Jun/2002 has 10275 entries
22/Jun/2002 has 8754 entries


You can restrict the dates on which naquela reports with these commands:

-ds (Date Start) followed (WITHOUT WHITESPACE) by ddmmyyyy for a date to start the stats from (you can also use -1 for yesterday or 0 for today, or indeed just leave blank for "since the log started").

-df (Date Finish) in the same way for the start date, except that you should leave blank to mean "up to and including today".

For instance,

$ naquela -ds01072002 -df-1

will give you results from 1st July 2002 until (and including) yesterday.

There are many things to add/exclude to/from the report:

-ht (Hourly Total) to turn on the report which shows which times of day are busiest (it sums the requests for each hour over the date range).

-hd (Hours (for each) Date) to turn on the report which gives the hourly usage after each date (can be quite a long list!).

-nd if you don't want the "dd/mm/yyyy has 5253 entries" line shown. Useful if you're doing the analysis over a long period of time.

So for instance,

$ naquela -nd -ht

Hourly Totals:

00:00 - 01:00: 2733 queries     12:00 - 13:00: 11633 queries
01:00 - 02:00: 2350 queries     13:00 - 14:00: 10725 queries
02:00 - 03:00: 2562 queries     14:00 - 15:00: 10614 queries
03:00 - 04:00: 5242 queries     15:00 - 16:00: 11117 queries
04:00 - 05:00: 1390 queries     16:00 - 17:00: 11401 queries
05:00 - 06:00: 4328 queries     17:00 - 18:00: 9641 queries
06:00 - 07:00: 3966 queries     18:00 - 19:00: 6790 queries
07:00 - 08:00: 3805 queries     19:00 - 20:00: 5866 queries
08:00 - 09:00: 4237 queries     20:00 - 21:00: 5658 queries
09:00 - 10:00: 6497 queries     21:00 - 22:00: 5744 queries
10:00 - 11:00: 10536 queries    22:00 - 23:00: 3254 queries
11:00 - 12:00: 9227 queries     23:00 - 24:00: 3688 queries


-nl (Not Local) to exlude stats from localhost (or whatever is defined as such in the "third option"). Cunningly, this WON'T affect the "Top 5 queries from" report, if -sd is specified and is in your "list of interesting domains" (the "second option")...

-sr (Split Results) to show a breakdown of results in terms of who requested them: define the IP networks you want in the second option, as mentioned above.

So for example,

$ naquela -nd -sr

Number of Queries from Each Network:
------------------------------------     80242 queries
192.168.128.* 33448 queries
192.168.122.* 21876 queries
Others:       39329 queries


-dr (Domain Report) to turn on the "Top 10 domain" report

-sd (Split Domain (report)) to get a "Top 5 domain" report for each of the networks defined in the second option.

-qt (Query Type) to get the different queries (A, MX, PTR, etc, etc).

-sa (Show Average) to show the first and last log times, and hence the average queries/hour served.

So for instance (if it's a little after 6:30pm on 7th July 2002),

$ naquela -ds0 -sa

Results for each date:

07/Jul/2002 has 3166 entries

Average queries:

First Log entry: 07/Jul/2002, 00:00:37
Final Log entry: 07/Jul/2002, 18:30:01
Average load: 171 queries/hour


-m/your_regex_here/ to ignore lines from the log that match your regex (case insensitive). It's likely you'll have to put single quotes round this option to stop the shell trying to do things with meaningful characters such as * or |.

-bm (Batch Mode) if you want to put a date before each output, and turn off that final "Run Finished" message. This is so that if you want to run the analyser over a specified set of dates (say a week) with the aid of a script, e.g.

while [ $i -le 30 ]
      ./ -nd -ds${i}062002 -df${i}062002 -qt -bm >> statsfile.txt
      i=`expr $i + 1`

you can collate all the query types for each day of the week in a single file, with the date before each list, and no annoying "Run finished" after each list. You could also, say, have -ds01${i}2002 -df31${i}2002 to give a total for each month (say 01 <= $i <=12 ). Don't worry that some months have less than 31 days in them. However, worry that single-figure months *need* that leading "0".

-pc (Print Corrupt) to print out lines that the program doesn't like: only really for debugging, but can also be useful to spot attacks.