FAQ: Resolving IP Numbers

When I look at the top hosts and top domains, all I see are numbers (IP addresses). How do I get the domain information?

Short Answer

Turn on reverse DNS lookup in the Network options (or in your web server), or use Sawmill's "look up IP numbers using DNS" feature.

Long Answer

Your web server is tracking the IP numbers of visitors, but not their hostnames or domains. If you need hostname or domain information, you need to tell Sawmill (or your web server) to look up the IP addresses using DNS (domain name service). One way to do this is to turn on DNS lookup in your web server; that will slow down your server, but then Sawmill will report hostnames and domains without any performance penalty during log data processing.

If you're not willing to take the performance hit on your server, or if you want to analyze log data that has already been generated with IP addresses, you can turn on Sawmill's reverse DNS feature like this:

  1. Log in to Sawmill.

  2. Click "Config Options" for the profile you want to modify.

  3. Click "DNS Lookup, Support & Action Email" in the menu.

  4. Check the box labeled "Look up IP numbers using domain nameserver (DNS)".

  5. Enter the hostnames or IP addresses of one or two DNS servers in the DNS server fields. You can get this information from your network administrator, or your ISP.

  6. Click "Save Changes".

  7. Rebuild the database (e.g. choose "Build Database" from the menu at the top).

Processing log data will be slower with reverse DNS turned on, but you will get full hostname and domain information.

If you have problems getting the DNS feature to resolve IP addresses, see Problems With DNS Lookup.

A third option is to use a separate DNS resolving program to compute your log files after the server is done writing them, and before Sawmill analyzes them. Examples include logresolve, which is included with the popular Apache web server, DNSTran, which runs on several platforms including Macintosh, Linux, Solaris, and IRIX.

If you're using UNIX or MacOS X, another good option is adns, an asynchronous DNS lookup library that includes some command-line tools for looking up IP addresses, including adnslogres (for Common Access format and Apache Combined format files) and adnsresfilter (for other types of log files). For instance, you can use the command "adnsresfilter < /path/to/my/log.file" as your log source command to use adns. adns is faster than logresolve, but more difficult to configure initially.

You can plug any command-line DNS resolver directly into Sawmill by using a command log source, and entering a UNIX command that resolves the IPs in the log file and dumps the resolved log data to the standard output stream, in this case

  logresolve < /path/to/my/log.file
Once you've done that, Sawmill will automatically run logresolve when you process your log data, and it will resolve the data before feeding it to Sawmill.