added dns heatmap

309f89c4 · nin9s · d4eaf9b5 · 309f89c4 · 309f89c4 · 309f89c4
Commit 309f89c4 authored Apr 21, 2019 by nin9s
--- a/elk-hole - dash.json
+++ b/elk-hole - dash.json
+[
+  {
+    "_id": "fb953870-339e-11e8-beb4-d7353bd14360",
+    "_type": "dashboard",
+    "_source": {
+      "title": "DNS - pihole",
+      "hits": 0,
+      "description": "",
+      "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"x\":0,\"y\":39,\"w\":14,\"h\":14,\"i\":\"1\"},\"id\":\"27624920-3390-11e8-beb4-d7353bd14360\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":24,\"y\":39,\"w\":12,\"h\":14,\"i\":\"2\"},\"id\":\"c60b2a70-339e-11e8-beb4-d7353bd14360\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":0,\"y\":23,\"w\":20,\"h\":16,\"i\":\"3\"},\"id\":\"88d55340-338c-11e8-beb4-d7353bd14360\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"x\":20,\"y\":23,\"w\":9,\"h\":16,\"i\":\"4\"},\"id\":\"076c70c0-338e-11e8-beb4-d7353bd14360\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"x\":0,\"y\":0,\"w\":20,\"h\":23,\"i\":\"6\"},\"id\":\"381275b0-34bc-11e8-beb4-d7353bd14360\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"x\":19,\"y\":47,\"w\":5,\"h\":6,\"i\":\"7\"},\"id\":\"e7da3480-34f1-11e8-beb4-d7353bd14360\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"x\":14,\"y\":47,\"w\":5,\"h\":6,\"i\":\"8\"},\"id\":\"bd5cd320-34f1-11e8-beb4-d7353bd14360\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"x\":29,\"y\":23,\"w\":10,\"h\":16,\"i\":\"9\"},\"id\":\"8c6a0b10-34f2-11e8-beb4-d7353bd14360\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"x\":36,\"y\":39,\"w\":12,\"h\":14,\"i\":\"10\"},\"id\":\"91cada30-5e82-11e8-81db-f1525a738f45\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":14,\"y\":39,\"w\":10,\"h\":8,\"i\":\"11\"},\"id\":\"e611adc0-a203-11e8-8e9e-1d0e979ee6d4\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"x\":39,\"y\":23,\"w\":9,\"h\":16,\"i\":\"12\"},\"id\":\"25c8a840-27b2-11e9-8e51-330d470c740b\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.5.0\"},{\"gridData\":{\"x\":20,\"y\":0,\"w\":28,\"h\":23,\"i\":\"13\"},\"version\":\"6.5.0\",\"panelIndex\":\"13\",\"type\":\"visualization\",\"id\":\"0858a2c0-643d-11e9-b607-6710a00e4c3e\",\"embeddableConfig\":{\"mapZoom\":2,\"mapCenter\":[33.43144133557529,-18.457031250000004]}}]",
+      "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+      "version": 1,
+      "timeRestore": false,
+      "kibanaSavedObjectMeta": {
+        "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[{\"$state\":{\"store\":\"globalState\"},\"exists\":{\"field\":\"ip_response\"},\"meta\":{\"alias\":null,\"disabled\":true,\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"key\":\"ip_response\",\"negate\":false,\"type\":\"exists\",\"value\":\"exists\"}}],\"highlightAll\":true,\"version\":true}"
+      }
+    }
+  }
+]
\ No newline at end of file
--- a/elk-hole.json
+++ b/elk-hole.json
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -6,74 +6,53 @@ input {
       }
 }

-#################################################################################
-
 filter {
  if "pihole" in [tags]{
    grok {
      patterns_dir => ["/etc/logstash/patterns/"]
-			match => { "message" => [
+      match => {
+                "message" => [
          
 # request - query type
 "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
-				
 # reponse domain to ip
 "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
-				
 # response domain is NXDOMAIN
 "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NXDOMAIN$",
-				
 # response config domain is NXDOMAIN
 "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NXDOMAIN$",
-				
 # response config domain is no-DATA
 "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NODATA-IPv[4,6]$",
-				
 # reponse domain to ip cname
 "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is \<CNAME\>$",
-				
 # respone ip to domain
 "^%{DNSMASQPREFIX} reply %{IP:ip_request} is %{FQDN:domain_response}$",
-				
 # piholed
 "^%{DNSMASQPREFIX} \/etc\/pihole\/gravity\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
-				
 # piholed local
 "^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
-				
 # blacklist
 "^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
-				
 # reverse response etc hosts ip to domain
 "^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$",
-				
 # reverse response etc hosts domain to ip
 "^%{DNSMASQPREFIX} \/etc\/hosts %{FQDN:domain_request} is %{IP:ip_response}$",
-				
 # forward dns to
 "^%{DNSMASQPREFIX} forwarded %{FQDN:domain_request} to %{IP:dns_forward_to}$",
-				
 # cached domain to ip
 "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is %{IP:ip_response}$",
-				
 # cached ip to domain
 "^%{DNSMASQPREFIX} cached %{IP:ip_request} is %{FQDN:domain_response}$",
-				
 # cached domain to ip cname
 "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is \<CNAME\>$",
-				
 # cached domain is NXDOMAIN
 "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NXDOMAIN$",
-				
 # cached domain is no-DATA
 "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
-				
 # domain is no-DATA
 "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
-				
 # SRV
 "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
-				
 # SRV forwarded
 "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" 

@@ -81,6 +60,8 @@ filter {
      }
 }

+# to do cached and cached reverse
+

      if [request_from] {
        mutate {
@@ -88,6 +69,9 @@ filter {
        }
      }
      else if [ip_response] {
+        geoip {
+          source => "ip_response"
+        }
        mutate {
          add_tag => [ "response domain to ip" ]
        }
@@ -168,13 +152,12 @@ filter {
  }
 }

-#################################################################################
-
 output {
  if "pihole" in [tags]{
      elasticsearch {
-			# ELASTICSEARCHHOST:PORT - CHANGE TO MATCH YOUR ELASTICSEARCH IP ADDRESS
-            hosts => ["127.0.0.1:9200"]
+            hosts => ["192.168.254.248:9200"]
+            user => "elastic"
+            password => "Service.1"
            manage_template => false
            index => "logstash-syslog-dns-%{+YYYY.MM}"
  }