Private GIT

Skip to content
Snippets Groups Projects
Select Git revision
  • 751a02e8b3e63064dd4307977d1d9cf3e50abb66
  • master default protected
  • fix_nzb_cat
  • develop
  • guessit2-minimal
  • ssl_warning
  • UHD-qualities
  • fix_providers8
  • !
  • tvvault
  • provider_alpharatio
  • v5.1.1
  • v5.1
  • v5.0.3
  • v5.0.2
  • v5.0.1
  • v5.0
  • v4.2.1.07
  • v4.2.1.06
  • v4.2.1.05
  • v4.2.1.04
  • v4.2.1.03
  • v4.2.1.02
  • v4.2.1.01
  • v4.2.1.0
  • v4.2.0.6
  • v4.2.0.5
  • v4.2.0.4
  • v4.2.0.3
  • v4.2.0.2
  • v4.2.0.1
31 results

contributing.md

Blame
    • After you've reviewed these contribution guidelines, you'll be all set to contribute to this project.
    20-dns-syslog.conf 4.71 KiB
    1
    2
    3
    4
    5
    6
    7
    8
    9
    10
    11
    12
    13
    14
    15
    16
    17
    18
    19
    20
    21
    22
    23
    24
    25
    26
    27
    28
    29
    30
    31
    32
    33
    34
    35
    36
    37
    38
    39
    40
    41
    42
    43
    44
    45
    46
    47
    48
    49
    50
    51
    52
    53
    54
    55
    56
    57
    58
    59
    60
    61
    62
    63
    64
    65
    66
    67
    68
    69
    70
    71
    72
    73
    74
    75
    76
    77
    78
    79
    80
    81
    82
    83
    84
    85
    86
    87
    88
    89
    90
    91
    92
    93
    94
    95
    96
    97
    98
    99
    100
    101
    102
    103
    104
    105
    106
    107
    108
    109
    110
    111
    112
    113
    114
    115
    116
    117
    118
    119
    120
    121
    122
    123
    124
    125
    126
    127
    128
    129
    130
    131
    132
    133
    134
    135
    136
    137
    138
    139
    140
    141
    142
    143
    144
    145
    146
    147
    148
    149
    150
    151
    152
    153
    154
    155
    156
    157
    158
    159
    160
    161
    162
    163
    164
    165
    166
    167
    168
    169
    170
    171 
    

    

    

    input {
       beats {
       port => 5141
       type => "logs"
       tags => ["pihole","5141"]
       }
}

filter {
  
  date {
    match => [ "date", "MMM d HH:mm:ss" ]
  }

  if "pihole" in [tags]{
    grok {
      patterns_dir => ["/etc/logstash/patterns/"]
      match => {
                "message" => [
          
# request - query type
 "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
 # reponse domain to ip
 "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
 # response domain is NXDOMAIN
 "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NXDOMAIN$",
 # response config domain is NXDOMAIN
 "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NXDOMAIN$",
 # response config domain is no-DATA
 "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NODATA-IPv[4,6]$",
 # reponse domain to ip cname
 "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is \<CNAME\>$",
 # respone ip to domain
 "^%{DNSMASQPREFIX} reply %{IP:ip_request} is %{FQDN:domain_response}$",
 # piholed
 "^%{DNSMASQPREFIX} \/etc\/pihole\/gravity\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
 # piholed local
 "^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
 # blacklist
 "^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
 # reverse response etc hosts ip to domain
 "^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$",
 # reverse response etc hosts domain to ip
 "^%{DNSMASQPREFIX} \/etc\/hosts %{FQDN:domain_request} is %{IP:ip_response}$",
 # forward dns to
 "^%{DNSMASQPREFIX} forwarded %{FQDN:domain_request} to %{IP:dns_forward_to}$",
 # cached domain to ip
 "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is %{IP:ip_response}$",
 # cached ip to domain
 "^%{DNSMASQPREFIX} cached %{IP:ip_request} is %{FQDN:domain_response}$",
 # cached domain to ip cname
 "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is \<CNAME\>$",
 # cached domain is NXDOMAIN
 "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NXDOMAIN$",
 # cached domain is no-DATA
 "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
 # domain is no-DATA
 "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
 # SRV
 "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
 # SRV forwarded
 "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" 

                  ]
      }
}

# to do cached and cached reverse


      if [request_from] {
        mutate {
          add_tag => [ "request and query type" ]
        }
      }
      else if [ip_response] {
        geoip {
          source => "ip_response"
        }
        mutate {
          add_tag => [ "response domain to ip" ]
        }
      }
      else if [message] =~ "CNAME" and [message] =~ "reply" {
        mutate {
          add_tag => [ "response domain to ip CNAME" ]
        }
      }
      else if [domain_response] and [message] =~ "reply" {
        mutate {
          add_tag => [ "response ip to domain" ]
        }
      }
      else if [blocked_domain] {
        mutate {
          add_tag => [ "piholed" ]
        }
      }
      else if [message] =~ "\/etc\/hosts" {
        mutate {
          add_tag => [ "reverse hostsfile" ]
        }
      }
      else if [dns_forward_to] {
        mutate {
          add_tag => [ "dns forward" ]
        }
      }
      else if [ip_request] and [message] =~ "cached" {
        mutate {
          add_tag => [ "cached ip to domain" ]
        }
      }
      else if [domain_request] and [message] =~ "cached" {
        mutate {
          add_tag => [ "cached domain to ip" ]
        }
      }
      else if [message] =~ "cached" and [message] =~ "CNAME" {
        mutate {
          add_tag => [ "cached domain to ip cname" ]
        }
      }
      else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
        mutate {
          add_tag => [ "cached NXDOMAIN" ]
        }
      }
      else if [NODATA-IPv4] {
        mutate {
          add_tag => [ "NODATA" ]
        }
      }
      else if [NODATA-IPv6] {
        mutate {
          add_tag => [ "NODATA" ]
        }
      }

  mutate {
      add_field => {
        "[source_fqdn]" => "%{source_host}"
      }
    }

    dns {
      reverse => ["source_fqdn"]
      action => "replace"
      nameserver => ["localhost"]
      hit_cache_size => 4096
      hit_cache_ttl => 900
      failed_cache_size => 512
      failed_cache_ttl => 900
    }


  }
}

output {
  if "pihole" in [tags]{
      elasticsearch {
            hosts => ["192.168.254.248:9200"]
            user => "elastic"
            password => "Service.1"
            manage_template => false
            index => "logstash-syslog-dns-%{+YYYY.MM}"
  }
 }
}

    Another place to be (or not)