From 01a21f6c17b71d1f427c83256f31833f0d0301b4 Mon Sep 17 00:00:00 2001
From: 9S <strrrn@gmail.com>
Date: Fri, 22 Feb 2019 10:08:12 +0100
Subject: [PATCH] Add files via upload
---
logstash/conf.d/20-dns-syslog.conf | 177 +++++++++++++++++++++++++++++
1 file changed, 177 insertions(+)
create mode 100644 logstash/conf.d/20-dns-syslog.conf
diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
new file mode 100644
index 0000000..372e64c
--- /dev/null
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -0,0 +1,177 @@
+input {
+ beats {
+ port => 5141
+ type => "logs"
+ tags => ["pihole","5141"]
+ }
+}
+
+filter {
+ if "pihole" in [tags]{
+ grok {
+ patterns_dir => ["/etc/logstash/patterns/"]
+ match => {
+ "message" => [
+
+# request - query type
+ "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
+ # reponse domain to ip
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
+ # response domain is NXDOMAIN
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NXDOMAIN$",
+ # response config domain is NXDOMAIN
+ "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NXDOMAIN$",
+ # response config domain is no-DATA
+ "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NODATA-IPv[4,6]$",
+ # reponse domain to ip cname
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is \<CNAME\>$",
+ # respone ip to domain
+ "^%{DNSMASQPREFIX} reply %{IP:ip_request} is %{FQDN:domain_response}$",
+ # piholed
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/gravity\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+ # piholed local
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+ # blacklist
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+ # reverse response etc hosts ip to domain
+ "^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$",
+ # reverse response etc hosts domain to ip
+ "^%{DNSMASQPREFIX} \/etc\/hosts %{FQDN:domain_request} is %{IP:ip_response}$",
+ # forward dns to
+ "^%{DNSMASQPREFIX} forwarded %{FQDN:domain_request} to %{IP:dns_forward_to}$",
+ # cached domain to ip
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is %{IP:ip_response}$",
+ # cached ip to domain
+ "^%{DNSMASQPREFIX} cached %{IP:ip_request} is %{FQDN:domain_response}$",
+ # cached domain to ip cname
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is \<CNAME\>$",
+ # cached domain is NXDOMAIN
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NXDOMAIN$",
+ # cached domain is no-DATA
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
+ # domain is no-DATA
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
+ # SRV
+ "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
+ # SRV forwarded
+ "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$"
+
+ ]
+ }
+}
+
+# to do cached and cached reverse
+
+
+ if [request_from] {
+ mutate {
+ add_tag => [ "request and query type" ]
+ }
+ }
+ else if [ip_response] {
+ mutate {
+ add_tag => [ "response domain to ip" ]
+ }
+ }
+ else if [message] =~ "CNAME" and [message] =~ "reply" {
+ mutate {
+ add_tag => [ "response domain to ip CNAME" ]
+ }
+ }
+ else if [domain_response] and [message] =~ "reply" {
+ mutate {
+ add_tag => [ "response ip to domain" ]
+ }
+ }
+ else if [blocked_domain] {
+ mutate {
+ add_tag => [ "piholed" ]
+ }
+ }
+ else if [message] =~ "\/etc\/hosts" {
+ mutate {
+ add_tag => [ "reverse hostsfile" ]
+ }
+ }
+ else if [dns_forward_to] {
+ mutate {
+ add_tag => [ "dns forward" ]
+ }
+ }
+ else if [ip_request] and [message] =~ "cached" {
+ mutate {
+ add_tag => [ "cached ip to domain" ]
+ }
+ }
+ else if [domain_request] and [message] =~ "cached" {
+ mutate {
+ add_tag => [ "cached domain to ip" ]
+ }
+ }
+ else if [message] =~ "cached" and [message] =~ "CNAME" {
+ mutate {
+ add_tag => [ "cached domain to ip cname" ]
+ }
+ }
+ else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
+ mutate {
+ add_tag => [ "cached NXDOMAIN" ]
+ }
+ }
+ else if [NODATA-IPv4] {
+ mutate {
+ add_tag => [ "NODATA" ]
+ }
+ }
+ else if [NODATA-IPv6] {
+ mutate {
+ add_tag => [ "NODATA" ]
+ }
+ }
+
+# geoip {
+# source => "ip_request" target => "ip_response"
+# }
+# dns {
+# add_field => { "source_host" => "source_fqdn" } nameserver => [ "localhost" ] reverse => [ "source_fqdn" ] action => "replace" add_tag => [ "dns_lookup" ]
+# }
+
+ mutate {
+ add_field => {
+ "[source_fqdn]" => "%{source_host}"
+ }
+ }
+
+ dns {
+ reverse => ["source_fqdn"]
+ action => "replace"
+ nameserver => ["localhost"]
+ hit_cache_size => 4096
+ hit_cache_ttl => 900
+ failed_cache_size => 512
+ failed_cache_ttl => 900
+ }
+
+
+ }
+}
+
+# else if "_grokparsefailure" in [tags] {
+# drop { }
+# }
+
+output {
+# stdout { codec => rubydebug }
+
+ if "pihole" in [tags]{
+#stdout { codec => rubydebug }
+# if [host] == "192.168.254.241" or [host] == "192.168.254.240" {
+ elasticsearch {
+ hosts => ["192.168.254.248:9200"]
+ user => "elastic"
+ password => "Service.1"
+ manage_template => false
+ index => "logstash-syslog-dns-%{+YYYY.MM}"
+ }
+ }
+}
\ No newline at end of file
--
GitLab