diff --git a/README.md b/README.md index 4f73725e1e8ac0c83dfdd5666b4534aaff908f2c..af9ee33314af8c8305e7280d67ae1428f16a57d0 100644 --- a/README.md +++ b/README.md @@ -29,6 +29,14 @@ The result will look like this: ### LOGSTASH HOST 1. copy "/conf.d/20-dns-syslog.conf" to your logstash folder (usually /etc/logstash/) +1.1 if you have other files in this folder make sure to properly edit the input/output/filter sections to avoid matching our filebeat dns logs in these files which may be processed earlier. For testing purposes you can name your conf files like so: + +/conf.d/20-dns-syslog.conf +/conf.d/30-other1.conf +/conf.d/40-other2.conf + +This makes sure that /conf.d/20-dns-syslog.conf is beeing processed at the beginning. + 2. customize "ELASTICSEARCHHOST:PORT" in the output section at the bottom of the file 3. copy "dns" to "/etc/logstash/patterns/" 4. restart logstash @@ -38,13 +46,21 @@ The result will look like this: 6. customize "LOGSTASHHOST:5141" to match your logstash hostname/ip 7. restart filebeat 9. copy 99-pihole-log-facility.conf to /etc/dnsmasq.d/ -11. restart pi-hole and ensure filebeat is sending logs to logstash before continuing +11. this is very important: restart pi-hole and ensure filebeat is sending logs to logstash before proceeding +11.1 You can verify this by: +11.2 at your filebeat instance: "filebeat test output" - it should say "ok" on every step. +12. again: the following steps will not work correctly if sending data to logstash here is not successfull! ### KIBANA HOST (CAN BE THE SAME AS LOGSTASH AND ELASTICSEARCH) 12. import suitable "json/elk-hole *.json" for your version into kibana: management - saved objects - import 13. delete any existing template matching our index name: DELETE /_template/logstash-syslog-dns* 14. import the template: paste the content of "logstash-syslog-dns-index.template_ELK7.x.json" into kibanas dev tools console -15. optionally reload kibanas field list +14.1 click the green triangle in the upper right of the pasted content (first line). Output should be: +{ + "acknowledged" : true +} +15. optionally reload kibanas field list via: Management -> Index patterns -> type logstash-syslog-dns* +15. click the curved arrows on the top left You should then be able to see your new dashboard and visualizations.