diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf index e45a65e78c59053d72573ef14d96fe96b08a29c4..3d92af056b5d0ee30ec1e2dd0c58e8b8916aaf53 100644 --- a/logstash/conf.d/20-dns-syslog.conf +++ b/logstash/conf.d/20-dns-syslog.conf @@ -73,6 +73,17 @@ filter { # to do cached and cached reverse + else if [NODATA-IPv4] { + mutate { + add_tag => [ "NODATA" ] + } + } + + else if [NODATA-IPv6] { + mutate { + add_tag => [ "NODATA" ] + } + } if [request_from] and [message] =~ "query" { mutate { @@ -131,15 +142,13 @@ filter { } } - - - else if [message] =~ "cached" and [message] =~ "CNAME" { + else if [domain_request] and [message] =~ "cached" and [message] =~ "CNAME" { mutate { add_tag => [ "cached domain to ip cname" ] } } - else if [domain_request] and [message] =~ "cached" { + else if [domain_request] and [message] =~ "cached" { mutate { add_tag => [ "cached domain to ip" ] } @@ -154,17 +163,6 @@ filter { } } - else if [NODATA-IPv4] { - mutate { - add_tag => [ "NODATA" ] - } - } - - else if [NODATA-IPv6] { - mutate { - add_tag => [ "NODATA" ] - } - } mutate { @@ -175,7 +173,7 @@ filter { dns { reverse => ["source_fqdn"] - action => "replace" + action => "replace" hit_cache_size => 4096 hit_cache_ttl => 900 failed_cache_size => 512 @@ -189,15 +187,3 @@ filter { } } - - -output { - - if "pihole" in [tags]{ - elasticsearch { - hosts => [""<ELASTICSEARCHHOST:PORT>""] -# manage_template => false - index => "logstash-syslog-dns-%{+YYYY.MM}" - } - } -} \ No newline at end of file