From purri at openmailbox.org  Wed Jan  4 16:01:34 2017
From: purri at openmailbox.org (purri)
Date: Wed, 4 Jan 2017 19:01:34 +0300
Subject: [dnstap] Knot+Dnstap how to read log in realtime?
Message-ID: <8437bf7c-9e9b-e660-e8d1-6987ac873f87@openmailbox.org>

I tried to use knot-2.3.3 with dnstap

hen i use "sink: /tmp/capture.tap" I ran into a problem that capture.tap 
updates only every 4096 bytes

I also tried this command to create socket:
"fstrm_capture -t protobuf:dnstap.Dnstap -u /tmp/dnstap.sock -w 
/tmp/capture.tap -ddddd"
with "sink: /tmp/dnstap.sock" but here capture.tap never filled,
I restarted knotd , but looks like it not even connect to this sock.


From each at isc.org  Wed Jan  4 17:31:24 2017
From: each at isc.org (Evan Hunt)
Date: Wed, 4 Jan 2017 17:31:24 +0000
Subject: [dnstap] Knot+Dnstap how to read log in realtime?
In-Reply-To: <8437bf7c-9e9b-e660-e8d1-6987ac873f87@openmailbox.org>
References: <8437bf7c-9e9b-e660-e8d1-6987ac873f87@openmailbox.org>
Message-ID: <20170104173124.GA8453@isc.org>

On Wed, Jan 04, 2017 at 07:01:34PM +0300, purri wrote:
> I tried to use knot-2.3.3 with dnstap
> 
> hen i use "sink: /tmp/capture.tap" I ran into a problem that capture.tap 
> updates only every 4096 bytes
> 
> I also tried this command to create socket:
> "fstrm_capture -t protobuf:dnstap.Dnstap -u /tmp/dnstap.sock -w 
> /tmp/capture.tap -ddddd"
> with "sink: /tmp/dnstap.sock" but here capture.tap never filled,
> I restarted knotd , but looks like it not even connect to this sock.

I remember submitting a change to Robert so that a SIGHUP to
fstrm_capture would cause it to flush its output immediately. I'm
not sure whether he ever accepted the patch though.

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.

From edmonds at mycre.ws  Wed Jan  4 17:45:21 2017
From: edmonds at mycre.ws (Robert Edmonds)
Date: Wed, 4 Jan 2017 12:45:21 -0500
Subject: [dnstap] Knot+Dnstap how to read log in realtime?
In-Reply-To: <20170104173124.GA8453@isc.org>
References: <8437bf7c-9e9b-e660-e8d1-6987ac873f87@openmailbox.org>
 <20170104173124.GA8453@isc.org>
Message-ID: <20170104174521.rfy6r6u5ji5ea2ku@mycre.ws>

Evan Hunt wrote:
> I remember submitting a change to Robert so that a SIGHUP to
> fstrm_capture would cause it to flush its output immediately. I'm
> not sure whether he ever accepted the patch though.

It was added in the fstrm 0.3.0 release:

https://github.com/farsightsec/fstrm/pull/12

-- 
Robert Edmonds