uiDivStats uiDivStats - WebUI for Diversion statistics

[martinr]

Adding my voice for the feature. I use my mobile to access the GUI a lot and I’ve ended up stuck many many times. Would love the ability to disable the graph zoom. (I can’t be the only one using a mobile to access the page can I?)

No, you’re not the only one using a mobile, and mine’s a small iPhoneSE. And I’m still looking for that button on it!

 

[juched]

View attachment 21757
what's this? dnsmasq logs but in sqlite?

Couple ideas. I have been playing around with diversion again since I want to get prepared to try your new uiDivStats once ready.

1. Perhaps you can redirect the logs to /tmp to avoid wearing out the USB stick. When I have DNS forced redirection for all my clients, I am generating ~17MB per 2 hours. Crazy I know, but this is what happens with a house full of IoT (especially Google Homes, they constantly constantly do DNS lookups).

2. You can avoid a DB increase by collapsing multiple records into 1 row. For example, I don't think you use the timestamp, so if the IP and lookup matches, you should be able use SQL to update a counter. This way 100K requests from 1 device end up as 1 row but with a column showing 100K. Now, depending on what reporting cycle you want you can flush the DB after you reset. ie. if you want to reset every Thursday at 2AM, you know all the current records are from last Thursday to today, so your weekly report still works. This is essentially what diversion does by flushing the DNSmasq logs.


Looking forward to seeing it. If you want a beta tester, let me know, I will see what I can do.

I am thinking if the same can be done for unbound. You see, there is a config in unbound to only output to the logs the local-actions, which makes the NX-domain items (and errors) only write out to disk. Unbound doesn't seem to have async log writing, so this would impact the lookups, but only for blocked domains. With syslog-ng it seems this is also mitigated with memory caching. Was thinking of seeing if your solution would work, perhaps if I could output to the same tables then your reports could also work for adblock on unbound as well.

 

[Jack Yaz]

Couple ideas. I have been playing around with diversion again since I want to get prepared to try your new uiDivStats once ready.

1. Perhaps you can redirect the logs to /tmp to avoid wearing out the USB stick. When I have DNS forced redirection for all my clients, I am generating ~17MB per 2 hours. Crazy I know, but this is what happens with a house full of IoT (especially Google Homes, they constantly constantly do DNS lookups).

2. You can avoid a DB increase by collapsing multiple records into 1 row. For example, I don't think you use the timestamp, so if the IP and lookup matches, you should be able use SQL to update a counter. This way 100K requests from 1 device end up as 1 row but with a column showing 100K. Now, depending on what reporting cycle you want you can flush the DB after you reset. ie. if you want to reset every Thursday at 2AM, you know all the current records are from last Thursday to today, so your weekly report still works. This is essentially what diversion does by flushing the DNSmasq logs.


Looking forward to seeing it. If you want a beta tester, let me know, I will see what I can do.

I am thinking if the same can be done for unbound. You see, there is a config in unbound to only output to the logs the local-actions, which makes the NX-domain items (and errors) only write out to disk. Unbound doesn't seem to have async log writing, so this would impact the lookups, but only for blocked domains. With syslog-ng it seems this is also mitigated with memory caching. Was thinking of seeing if your solution would work, perhaps if I could output to the same tables then your reports could also work for adblock on unbound as well.

Logs already write to /opt/var/log if using Diversion - which is on the USB storage. My current sqlite experimental approach also writes to /opt/share, ergo USB.

Timestamp is needed, e.g. show me number of queries over last 24 hours, last 7 days. It is trivial to delete records older than 7 days using a separate cron job, perhaps hourly. This is a change in that the time period is a rolling 7 day window, for example.

Size isn't so much of a problem, since Skynet recommends at least 1GB in swap - most USB storage devices are likely 4GB and above

 

[juched]

Logs already write to /opt/var/log if using Diversion - which is on the USB storage. My current sqlite experimental approach also writes to /opt/share, ergo USB.

Timestamp is needed, e.g. show me number of queries over last 24 hours, last 7 days. It is trivial to delete records older than 7 days using a separate cron job, perhaps hourly. This is a change in that the time period is a rolling 7 day window, for example.

Size isn't so much of a problem, since Skynet recommends at least 1GB in swap - most USB storage devices are likely 4GB and above

My first ideas was if dnsmasq was writting logs to /tmp (tempfs in memory) and you tail the log and place into SQLite (which can be on USB, as it should collaspe smaller), then if you flush the logs hourly it will really reduce disk wear.

That being said, as a user you would need to turn off diversion's weekly stats email, since the dnsmasq logs would not survive long enough for that feature, but your sqlite would be able to reproduce all you need for stats.

You need the date perhaps, but not the full timestamp (minute/hour/seconds), so perhaps collapse this down to:
<day><requesting IP><requested site><response><count>

The DB will greatly slow down in growth, and your stats are still useful.

Either way, even if you don't think this make sense, thank you. Would you perhaps have add a feature to flush the logs regularly? If diversion has that feature I haven't found it. Once this is in SQLite it is much better than the raw logs

 

[Jack Yaz]

My first ideas was if dnsmasq was writting logs to /tmp (tempfs in memory) and you tail the log and place into SQLite (which can be on USB, as it should collaspe smaller), then if you flush the logs hourly it will really reduce disk wear.

That being said, as a user you would need to turn off diversion's weekly stats email, since the dnsmasq logs would not survive long enough for that feature, but your sqlite would be able to reproduce all you need for stats.

You need the date perhaps, but not the full timestamp (minute/hour/seconds), so perhaps collapse this down to:
<day><requesting IP><requested site><response><count>

The DB will greatly slow down in growth, and your stats are still useful.

Either way, even if you don't think this make sense, thank you. Would you perhaps have add a feature to flush the logs regularly? If diversion has that feature I haven't found it. Once this is in SQLite it is much better than the raw logs

Filesize doesn't seem too bad, this is after a weeks usage with 20ish devices:

A typical query record is:

A typical blocked record (for now):

(I say for now because "blocked" can be more intelligent, i.e. was it blocking list or blacklist blocked, etc.

NOTE: I am tailing the dnsmasq log as configured by Diversion, as I have no intention of conflicting/overriding Diversion's built in statistics report/text file generated once a week

 

[juched]

Filesize doesn't seem too bad, this is after a weeks usage with 20ish devices:
View attachment 21827

A typical query record is:
View attachment 21828

A typical blocked record (for now):
View attachment 21829
(I say for now because "blocked" can be more intelligent, i.e. was it blocking list or blacklist blocked, etc.

NOTE: I am tailing the dnsmasq log as configured by Diversion, as I have no intention of conflicting/overriding Diversion's built in statistics report/text file generated once a week

I do understand not wanting to change the files for diversion. Good point. Maybe [mention]thelonelycoder [/mention] will want to standardize on SQLite once we see your implementation.

Thanks again. I think this is a great idea you are working on.

 

[thelonelycoder]

I do understand not wanting to change the files for diversion. Good point. Maybe [mention]thelonelycoder [/mention] will want to standardize on SQLite once we see your implementation.

Thanks again. I think this is a great idea you are working on.

Everything in /tmp would be lost after a reboot, expected or not. This is not an option.

 

[juched]

Everything in /tmp would be lost after a reboot, expected or not. This is not an option.

Agree, not suggesting to keep the SQLite DB in tmp. Just the dnsmasq logs. Once they are tailed and redirected into SQLite the log files are not really needed anymore. SQLite would be the system of record.

That being said, this idea may not be appealing if people are using dnsmasq logs for other items.

 

[juched]

Looking forward to see the SQLite version.

Can you share any insights on how you are tailing the file into SQLite? Have some thoughts

 

[Jack Yaz]

Looking forward to see the SQLite version.

Can you share any insights on how you are tailing the file into SQLite? Have some thoughts

tail feeding via awk script to get just the log lines that are needed, namely query + reply (i.e. blocked or not) for now

 

[juched]

tail feeding via awk script to get just the log lines that are needed, namely query + reply (i.e. blocked or not) for now

Ok, cool. Thanks for sharing.

Given that scribe is available on our routers, seems syslog-ng can send things straight to sqlite for us?

https://www.syslog-ng.com/technical...on/3.25/administration-guide/48#TOPIC-1349473

The sql() driver sends messages into an SQL database. Currently the Microsoft SQL (MSSQL), MySQL, Oracle, PostgreSQL, and SQLite databases are supported.

interesting....

 

[Jack Yaz]

Ok, cool. Thanks for sharing.

Given that scribe is available on our routers, seems syslog-ng can send things straight to sqlite for us?

https://www.syslog-ng.com/technical...on/3.25/administration-guide/48#TOPIC-1349473

The sql() driver sends messages into an SQL database. Currently the Microsoft SQL (MSSQL), MySQL, Oracle, PostgreSQL, and SQLite databases are supported.

interesting....

i considered that, but it was an extra layer of complexity (and i couldn't find how to chop up the log message into the relevant fields)

 

[Lurkmaster]

Agree, not suggesting to keep the SQLite DB in tmp. Just the dnsmasq logs. Once they are tailed and redirected into SQLite the log files are not really needed anymore. SQLite would be the system of record.

That being said, this idea may not be appealing if people are using dnsmasq logs for other items.

I for one am definitely using the dnsmasq log for some reporting. Since I couldn't find another way to watch my guest network activity I wrote a very simple little script to grep what I wanted out of dnsmasq.log. If this was available elsewhere then I guess I would not need dnsmasq.log anymore. Seems to me that Diversion would have to undergo revisions if that log were removed. I wouldn't want to ask the author to mess with that myself...

My simple guest network grepper below:

#!/bin/sh
#=======================================

# Grep dnsmasq.log for some guest network traffic history
# Writes output to stdout and a log file
# Set log-queries=extra option ON in Diversion settings
# Run from cron if desired and comment out the first command and remove the comment
# from the second command in order to skip sending the output to stdout.

# set to your guest network:
GUEST_NET="192.168.30"

# set to the path of your desired log file
LOG="/tmp/mnt/archive/logs/guest_history.log"
TIMESTAMP=`date -R`

echo "" >>$LOG
echo "===================== ${TIMESTAMP} ====================" >>$LOG
echo "" >>$LOG

# Commands (see note in comments at top):
grep "$GUEST_NET.[0-9][0-9]\$" /opt/var/log/dnsmasq.log | awk '{print $1,$2,$3,$5,$6,$7,$8}' | tee -a $LOG
#grep "$GUEST_NET.[0-9][0-9]\$" /opt/var/log/dnsmasq.log | awk '{print $1,$2,$3,$5,$6,$7,$8}' >>$LOG

 

[Jack Yaz]

Ok, cool. Thanks for sharing.

Given that scribe is available on our routers, seems syslog-ng can send things straight to sqlite for us?

https://www.syslog-ng.com/technical...on/3.25/administration-guide/48#TOPIC-1349473

The sql() driver sends messages into an SQL database. Currently the Microsoft SQL (MSSQL), MySQL, Oracle, PostgreSQL, and SQLite databases are supported.

interesting....

If i build in the sqlite logging to uiDivStats (albeit only to start storing dns data in sqlite), would you be interested in testing/making sure it is stable?

 

[juched]

If i build in the sqlite logging to uiDivStats (albeit only to start storing dns data in sqlite), would you be interested in testing/making sure it is stable?

Yes, for sure. My goal is to stop the needed processing of my super large dnsmasq files (currently sitting at 500MB for the week.

Thank you!

--- edit ---

incase anyone is interested, SQL is not compiled into the entware version of syslog-ng.

 

[figorr]

I have been changing some IPs at the DHCP Server and now the Diversion Stats didn't reflect the real data. There is a lot of data from some IPs that doesn't exist anymore.

Is there any way to restart the stats from Diversion?

Is there any way to change the client name for the IPs? I have some devices with strange names or even without names. For instance the amazon devices, they are some Echo Devices.

 

[Butterfly Bones]

I have been changing some IPs at the DHCP Server and now the Diversion Stats didn't reflect the real data. There is a lot of data from some IPs that doesn't exist anymore.

Is there any way to restart the stats from Diversion?

Is there any way to change the client name for the IPs? I have some devices with strange names or even without names. For instance the amazon devices, they are some Echo Devices.

Open Diversion, then d, 7 should be what you want.

 

[figorr]

Thank you. Stats had been restarted successfully

 

[bluzfanmr1]

I've noticed recently that the time it takes for statistic generation has increased significantly. I can't pinpoint when it started because my logs don't go that far back. I swore it used to take 1-2 minutes but lately it is taking right around 10-11 minutes, and that is slowing down the router.

I tried a forced update but that didn't help. Do I need to uninstall and reinstall?

Apr 16 10:00:01 uiDivStats: Starting Diversion statistic generation...
Apr 16 10:11:02 uiDivStats: Diversion statistic generation completed successfully!

Apr 16 11:00:00 uiDivStats: Starting Diversion statistic generation...
Apr 16 11:10:25 uiDivStats: Diversion statistic generation completed successfully!

 

[Jack Yaz]

I've noticed recently that the time it takes for statistic generation has increased significantly. I can't pinpoint when it started because my logs don't go that far back. I swore it used to take 1-2 minutes but lately it is taking right around 10-11 minutes, and that is slowing down the router.

I tried a forced update but that didn't help. Do I need to uninstall and reinstall?

The size of dnsmasq.log* will cause this. A new and improved sqlite version is being worked on