Howto properly split all logfile content based on timestamps - and realizing my own fallacy
Christian
9 minutes
Photo by Mikhail Nilov: https://www.pexels.com/photo/person-in-black-hoodie-using-a-computer-6963061/
I use a Pi-hole for DNS based AdBlocking in my home network. Additionally I installed Unbound as recursive DNS resolver on it. Meaning: I can use the RaspberryPi in my network at home as the DNS server for all my devices. This way I don't have to use the DNS-Servers of my ISP granting me some additionally privacy. Additionally I can see which DNS queries are sent by each device. Leading to surprising revelations.
However recently my internet connection was interrupted and afterwards I noticed that I couldn't access any site or services where I used a domain or hostname to connect to. And while the problem itself (dnsmasq: Maximum number of concurrent DNS queries reached (max: 150)) was fixed easily with a simple restart of the unbound service, I noticed that the /var/log/unbound/unbound.log logfile was uncompressed, unrotated and 3.3 gigabyte in size. Whoops. That happens when no logrotate job is present.
Side gig: A logrotate config for Unbound
Fixing this issue was rather easy. A short search additionally revealed that unbound-control has a log_reopen option which is a good idea to trigger after the logrotate. This way Unbound properly closes old filehandles and uses the new logfile.
root@pihole:~# cat /etc/logrotate.d/unbound
/var/log/unbound/unbound.log {
monthly
missingok
rotate 12
compress
delaycompress
notifempty
sharedscripts
create 644
postrotate
/usr/sbin/unbound-control log_reopen
endscript
}But wait, there is more
However I had it on my list to dig deeper into the dnsmasq: Maximum number of concurrent DNS queries reached (max: 150) error in order to better understand the whole construct of Pi-hole, dnsmasq and Unbound.
However, the logfile was way too big to work conveniently with it. 49.184.687 lines are just too much. Especially on a RaspberryPi with the, in comparison, limited CPU power. Now I could have just split it up after n lines using split -l number-of-lines but that is:
- Too easy and
- Did I encounter the need for a script which splits logfile lines based on a range of timestamps more often in the recent time
How to properly split a logfile - and overcomplicating stuff
Most of the unbound logfile lines will have the Unix timestamp in brackets, followed by the process name, the log level the message belongs too and the actual message.
root@pihole:~# head -n 1 /var/log/unbound/unbound.log
[1700653509] unbound[499:0] debug: module config: "subnetcache validator iterator"However some multi-line message wont follow this format:
[1700798246] unbound[1506:0] info: incoming scrubbed packet: ;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 0
;; flags: qr aa ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
chat.cdn.whatsapp.net. IN A
;; ANSWER SECTION:
chat.cdn.whatsapp.net. 60 IN A 157.240.252.61
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; MSG SIZE rcvd: 55
[1700798246] unbound[1506:0] debug: iter_handle processing q with state QUERY RESPONSE STATEThis means we need the following technical approach:
- Generate the Unix-timestamp for the first day in a month at 00:00:00 o'clock
- Alternatively formulated: The Unix-timestamp for the first second of a month
- Generate the Unix-timestamp for the last day of the month at 23:59:59 o'clock
- The last second of a month
- Find the first occurrence of the timestamp from point 1
- Find the last occurrence of the timestamp from point 2
- Use
sedto move the lines for each month into a separate logfile
I will however also show an awk command on how to filter based on the timestamps, useful for logfiles where every line is prefix with a timestamp.
Calculating with date
Luckily date is powerful and easy to use for date calculations. %s gives us the Unix timestamp. We do not need to specify hours:minutes:seconds as date automatically takes 00:00:00 for these values. Automatically giving us the first second of a day. And date also takes care of leap years and possible a lot of other nuisances when it comes to time and date calculations.
To get the last second of a month we simply take the first day of the month, add a month and subtract one second. It can't be easier.
# Unix timestamp for the first second in a month
user@host:~$ date -d "$(date +%Y/%m/01)" "+%Y/%m/%d %X - %s"
2024/11/01 00:00:00 - 1730415600
# Unix timestamp for the last second in a month
user@host:~$ date -d "$(date +%Y/%m/01) + 1 month - 1 second" "+%Y/%m/%d %X - %s"
2024/11/30 23:59:59 - 1733007599To verify the value we can use this for-loop. It will give us all the date and timestamps we need to confirm that our commands are correct.
user@host:~$ for YEAR in {2023..2024}; do for MONTH in {1..12}; do echo -n "$(date -d "$(date +$YEAR/$MONTH/01)" "+%Y/%m/%d %X - %s") "; date -d "$(date +$YEAR/$MONTH/01) + 1 month - 1 second" "+%Y/%m/%d %X - %s"; done; done
2023/01/01 00:00:00 - 1672527600 2023/01/31 23:59:59 - 1675205999
2023/02/01 00:00:00 - 1675206000 2023/02/28 23:59:59 - 1677625199
2023/03/01 00:00:00 - 1677625200 2023/03/31 23:59:59 - 1680299999
2023/04/01 00:00:00 - 1680300000 2023/04/30 23:59:59 - 1682891999
2023/05/01 00:00:00 - 1682892000 2023/05/31 23:59:59 - 1685570399
2023/06/01 00:00:00 - 1685570400 2023/06/30 23:59:59 - 1688162399
2023/07/01 00:00:00 - 1688162400 2023/07/31 23:59:59 - 1690840799
2023/08/01 00:00:00 - 1690840800 2023/08/31 23:59:59 - 1693519199
2023/09/01 00:00:00 - 1693519200 2023/09/30 23:59:59 - 1696111199
2023/10/01 00:00:00 - 1696111200 2023/10/31 23:59:59 - 1698793199
2023/11/01 00:00:00 - 1698793200 2023/11/30 23:59:59 - 1701385199
2023/12/01 00:00:00 - 1701385200 2023/12/31 23:59:59 - 1704063599
2024/01/01 00:00:00 - 1704063600 2024/01/31 23:59:59 - 1706741999
2024/02/01 00:00:00 - 1706742000 2024/02/29 23:59:59 - 1709247599
2024/03/01 00:00:00 - 1709247600 2024/03/31 23:59:59 - 1711922399
2024/04/01 00:00:00 - 1711922400 2024/04/30 23:59:59 - 1714514399
2024/05/01 00:00:00 - 1714514400 2024/05/31 23:59:59 - 1717192799
2024/06/01 00:00:00 - 1717192800 2024/06/30 23:59:59 - 1719784799
2024/07/01 00:00:00 - 1719784800 2024/07/31 23:59:59 - 1722463199
2024/08/01 00:00:00 - 1722463200 2024/08/31 23:59:59 - 1725141599
2024/09/01 00:00:00 - 1725141600 2024/09/30 23:59:59 - 1727733599
2024/10/01 00:00:00 - 1727733600 2024/10/31 23:59:59 - 1730415599
2024/11/01 00:00:00 - 1730415600 2024/11/30 23:59:59 - 1733007599
2024/12/01 00:00:00 - 1733007600 2024/12/31 23:59:59 - 1735685999To verify we can do the reverse (Unix timestamp to date) with the following command:
user@host:~$ date -d @1698793200
Wed 1 Nov 00:00:00 CET 2023Solution solely working on timestamps
As the logfile timestamp is enclosed in brackets we need to tell awk to treat either [ or ] as a field separator. Then we can use awk to check if the second field is in a given time frame. For the first test run we define the variables manually in our shell and adjust the date commands to only output the Unix timestamp.
And as the logfile starts in November 2023 I set the values accordingly. awk then conveniently puts all lines whose timestamp is between these to values into a separate logfile.
user@host:~$ YEAR=2023
user@host:~$ MONTH=11
user@host:~$ FIRST_SECOND=$(date -d "$(date +$YEAR/$MONTH/01)" "+%s")
user@host:~$ LAST_SECOND=$(date -d "$(date +$YEAR/$MONTH/01) + 1 month - 1 second" "+%s")
user@host:~$ awk -F'[\\[\\]]' -v MIN=${FIRST_SECOND} -v MAX=${LAST_SECOND} '{if($2 >= MIN && $2 =< MAX) print}' /var/log/unbound/unbound.log >> /var/log/unbound/unbound-$YEAR-$MONTH.logAnd this would already work fine, if every line would start with the timestamp. As this is not the case we need to add a bit more logic.
So the resulting script would look like this:
user@host:~$ cat date-split.sh
#!/bin/bash
# vim: set tabstop=2 smarttab shiftwidth=2 softtabstop=2 expandtab foldmethod=syntax :
# Split a logfile based on timestamps
LOGFILE="/var/log/unbound/unbound.log"
AWK="$(command -v awk)"
GZIP="$(command -v gzip)"
for YEAR in {2023..2024}; do
for MONTH in {1..12}; do
# Logfile starts November 2023 and ends November 2024 - don't grep for values before/after that time window
if [[ "$YEAR" -eq 2023 && "$MONTH" -gt 10 ]] || [[ "$YEAR" -eq 2024 && "$MONTH" -lt 12 ]]; then
# Debug
echo "$YEAR/$MONTH"
# Calculate first and last second of each month
FIRST_SECOND="$(date -d "$(date +"$YEAR"/"$MONTH"/01)" "+%s")"
LAST_SECOND="$(date -d "$(date +"$YEAR"/"$MONTH"/01) + 1 month - 1 second" "+%s")"
# Export variables so the grep in the sub-shells have this value
export FIRST_SECOND
export LAST_SECOND
# Split logfiles solely based on timestamps
awk -F'[\\[\\]]' -v MIN=${FIRST_SECOND} -v MAX=${LAST_SECOND} '{if($2 >= MIN && $2 <= MAX) print}' unbound.log >> "unbound-$YEAR-$MONTH.log"
# Creating all those separate logfiles will probably fill up our diskspace
# therefore we gzip them immediately afterwards
"$GZIP" "/var/log/unbound/unbound-$YEAR-$MONTH.log"
fi
done;
doneHowever, this script is vastly over-engineered. Why? Read on.
StackOverflow to the rescue
I still had the problem with the multi-line log messages. At first I wanted to use grep to get the matching first and last line numbers with head and tail. But uh.. Yeah, I had a fallacy here. As still wouldn't have worked with multi-line logmessages without a timestamp. Also using grep like this is highly inefficient. While it would be fine for a one-time usage script I still hit a road block.
I just wasn't able to get awk to do what I wanted and I resorted to asking my question on StackOverflow. Better to get the input from others then wasting a lot of time.
awk to the rescue
It was only through the answer that I realized that my solution was a bit over-engineered. Why use date if you can use strftime to calculate the year and month from the timestamp directly? The initial answer was:
awk '
$1 ~ /^\[[0-9]+]$/ {
f = "unbound-" strftime("%m-%Y", substr($1, 2, length($1)-2)) ".log"
if (f != prev) close(f); prev = f
}
{
print > f
}' unbound.logHow this works has been explained in detail on StackOverflow, so I just copy & paste it here.
For each line which first field is a
[timestamp](that is, matches regexp^\[[0-9]+]$), we usesubstrandlengthto extracttimestamp,strftimeto convert it to amm-YYYYstring and assign"unbound-mm-YYYY.log"to variablef. In the second block, that applies to all lines, we print the current line in filef. Note: contrary to shell redirections, inawk,print > FILEappends toFILE.
Edit: as suggested by Ed Morton closing each file when we are done with it should significantly improve the performance if the total number of files is large.if (f != prev) close(f); prev = fadded. Ed also noted that escaping the final]in the regex is useless (and undefined behavior per POSIX). Backslash removed.
And this worked flawlessly. The generated monthly logfiles from my testfile matched exactly the line-numbers per month. Even multi-line log messages and empty lines were included.
All I then did was adding gzip to compress the files directly before the next file is created. Just to prevent filling up the disk completely. Additionally I change the filename from unbound-MM-YYYY.log to unbound-YYYY-MM.log. Yes, the logfile name won't work with logrotate. But I just need it to properly dig through the files and the Year-Month naming will be of great help here. Afterwards I don't need them anymore and will delete them. So this was none of my concern.
This was my new working solution:
awk '$1 ~ /^\[[0-9]+]$/ {
f = "unbound-" strftime("%Y-%m", substr($1, 2, length($1)-2)) ".log"
if (f != prev) {
if (prev) system("gzip " prev)
close(prev)
prev = f
}
}
{
print > f
}
END {
if (prev) system("gzip " prev)
}' unbound.logNo bash script with convoluted logic needed. And easily useable for other logfiles too. Just adopt the starting regular expression to match the one the logfile uses and adopt the logic for strftime so the proper timestamp can be created.
Sometimes it's better to ask other people. 😄
