diff --git a/conf.d/20-dns-syslog.conf b/conf.d/20-dns-syslog.conf
new file mode 100644
index 0000000000000000000000000000000000000000..84958d33e6c598c02ccfbd6bb09ec31e7bbb12f5
--- /dev/null
+++ b/conf.d/20-dns-syslog.conf
@@ -0,0 +1,162 @@
+input {
+ beats {
+ port => 5141
+ type => "logs"
+ tags => ["pihole","5141"]
+ }
+}
+
+filter {
+ if "pihole" in [tags]{
+ grok {
+ patterns_dir => ["/etc/logstash/patterns/"]
+ match => {
+ "message" => [
+
+# request - query type
+ "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
+ # reponse domain to ip
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
+ # response domain is NXDOMAIN
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NXDOMAIN$",
+ # response config domain is NXDOMAIN
+ "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NXDOMAIN$",
+ # response config domain is no-DATA
+ "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NODATA-IPv[4,6]$",
+ # reponse domain to ip cname
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is \<CNAME\>$",
+ # respone ip to domain
+ "^%{DNSMASQPREFIX} reply %{IP:ip_request} is %{FQDN:domain_response}$",
+ # piholed
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/gravity\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+ # piholed local
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+ # blacklist
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+ # reverse response etc hosts ip to domain
+ "^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$",
+ # reverse response etc hosts domain to ip
+ "^%{DNSMASQPREFIX} \/etc\/hosts %{FQDN:domain_request} is %{IP:ip_response}$",
+ # forward dns to
+ "^%{DNSMASQPREFIX} forwarded %{FQDN:domain_request} to %{IP:dns_forward_to}$",
+ # cached domain to ip
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is %{IP:ip_response}$",
+ # cached ip to domain
+ "^%{DNSMASQPREFIX} cached %{IP:ip_request} is %{FQDN:domain_response}$",
+ # cached domain to ip cname
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is \<CNAME\>$",
+ # cached domain is NXDOMAIN
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NXDOMAIN$",
+ # cached domain is no-DATA
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
+ # domain is no-DATA
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
+ # SRV
+ "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
+ # SRV forwarded
+ "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$"
+
+ ]
+ }
+}
+
+# to do cached and cached reverse
+
+
+ if [request_from] {
+ mutate {
+ add_tag => [ "request and query type" ]
+ }
+ }
+ else if [ip_response] {
+ mutate {
+ add_tag => [ "response domain to ip" ]
+ }
+ }
+ else if [message] =~ "CNAME" and [message] =~ "reply" {
+ mutate {
+ add_tag => [ "response domain to ip CNAME" ]
+ }
+ }
+ else if [domain_response] and [message] =~ "reply" {
+ mutate {
+ add_tag => [ "response ip to domain" ]
+ }
+ }
+ else if [blocked_domain] {
+ mutate {
+ add_tag => [ "piholed" ]
+ }
+ }
+ else if [message] =~ "\/etc\/hosts" {
+ mutate {
+ add_tag => [ "reverse hostsfile" ]
+ }
+ }
+ else if [dns_forward_to] {
+ mutate {
+ add_tag => [ "dns forward" ]
+ }
+ }
+ else if [ip_request] and [message] =~ "cached" {
+ mutate {
+ add_tag => [ "cached ip to domain" ]
+ }
+ }
+ else if [domain_request] and [message] =~ "cached" {
+ mutate {
+ add_tag => [ "cached domain to ip" ]
+ }
+ }
+ else if [message] =~ "cached" and [message] =~ "CNAME" {
+ mutate {
+ add_tag => [ "cached domain to ip cname" ]
+ }
+ }
+ else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
+ mutate {
+ add_tag => [ "cached NXDOMAIN" ]
+ }
+ }
+ else if [NODATA-IPv4] {
+ mutate {
+ add_tag => [ "NODATA" ]
+ }
+ }
+ else if [NODATA-IPv6] {
+ mutate {
+ add_tag => [ "NODATA" ]
+ }
+ }
+
+
+ mutate {
+ add_field => {
+ "[source_fqdn]" => "%{source_host}"
+ }
+ }
+
+ dns {
+ reverse => ["source_fqdn"]
+ action => "replace"
+ nameserver => ["localhost"]
+ hit_cache_size => 4096
+ hit_cache_ttl => 900
+ failed_cache_size => 512
+ failed_cache_ttl => 900
+ }
+
+
+ }
+}
+
+output {
+
+ if "pihole" in [tags]{
+ elasticsearch {
+ hosts => ["<ELASTICSEARCHHOST:PORT>"]
+ manage_template => false
+ index => "logstash-syslog-dns-%{+YYYY.MM}"
+ }
+ }
+}
\ No newline at end of file
diff --git a/elk-hole.json b/elk-hole.json
new file mode 100644
index 0000000000000000000000000000000000000000..dfadf2d6de06e844bde8824f01735191d5038859
--- /dev/null
+++ b/elk-hole.json
@@ -0,0 +1,172 @@
+[
+ {
+ "_id": "e7da3480-34f1-11e8-beb4-d7353bd14360",
+ "_type": "visualization",
+ "_source": {
+ "title": "DNS piholed total - pihole",
+ "visState": "{\"title\":\"DNS piholed total - pihole\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":20}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}}]}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"filter\":[{\"meta\":{\"index\":\"59b18760-3133-11e8-beb4-d7353bd14360\",\"negate\":false,\"disabled\":true,\"alias\":null,\"type\":\"phrase\",\"key\":\"tags.keyword\",\"value\":\"piholed\",\"params\":{\"query\":\"piholed\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"tags.keyword\":{\"query\":\"piholed\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"59b18760-3133-11e8-beb4-d7353bd14360\",\"negate\":false,\"disabled\":true,\"alias\":null,\"type\":\"phrase\",\"key\":\"message\",\"value\":\"gravity.list\",\"params\":{\"query\":\"gravity.list\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"message\":{\"query\":\"gravity.list\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"59b18760-3133-11e8-beb4-d7353bd14360\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"exists\",\"key\":\"blocked_domain\",\"value\":\"exists\"},\"exists\":{\"field\":\"blocked_domain\"},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+ }
+ }
+ },
+ {
+ "_id": "bd5cd320-34f1-11e8-beb4-d7353bd14360",
+ "_type": "visualization",
+ "_source": {
+ "title": "DNS requests total - pihole",
+ "visState": "{\"title\":\"DNS requests total - pihole\",\"type\":\"metric\",\"params\":{\"addTooltip\":true,\"addLegend\":false,\"type\":\"metric\",\"metric\":{\"percentageMode\":false,\"useRanges\":false,\"colorSchema\":\"Green to Red\",\"metricColorMode\":\"None\",\"colorsRange\":[{\"from\":0,\"to\":10000}],\"labels\":{\"show\":true},\"invertColors\":false,\"style\":{\"bgFill\":\"#000\",\"bgColor\":false,\"labelColor\":false,\"subText\":\"\",\"fontSize\":21}}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"DNS Requests\"}}]}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"filter\":[{\"meta\":{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"negate\":true,\"disabled\":true,\"alias\":null,\"type\":\"phrase\",\"key\":\"query_type\",\"value\":\"PTR\",\"params\":{\"query\":\"PTR\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"query_type\":{\"query\":\"PTR\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}},{\"meta\":{\"index\":\"59b18760-3133-11e8-beb4-d7353bd14360\",\"negate\":false,\"disabled\":false,\"alias\":null,\"type\":\"phrase\",\"key\":\"tags.keyword\",\"value\":\"request and query type\",\"params\":{\"query\":\"request and query type\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"tags.keyword\":{\"query\":\"request and query type\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+ }
+ }
+ },
+ {
+ "_id": "91cada30-5e82-11e8-81db-f1525a738f45",
+ "_type": "visualization",
+ "_source": {
+ "title": "DNS query types - pihole",
+ "visState": "{\"title\":\"DNS query types - pihole\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"query_type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+ }
+ }
+ },
+ {
+ "_id": "c60b2a70-339e-11e8-beb4-d7353bd14360",
+ "_type": "visualization",
+ "_source": {
+ "title": "DNS query type/source host - pihole",
+ "visState": "{\"title\":\"DNS query type/source host - pihole\",\"type\":\"histogram\",\"params\":{\"type\":\"histogram\",\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"type\":\"category\",\"position\":\"bottom\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\"},\"labels\":{\"show\":true,\"truncate\":100},\"title\":{}}],\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"name\":\"LeftAxis-1\",\"type\":\"value\",\"position\":\"left\",\"show\":true,\"style\":{},\"scale\":{\"type\":\"linear\",\"mode\":\"normal\"},\"labels\":{\"show\":true,\"rotate\":0,\"filter\":false,\"truncate\":100},\"title\":{\"text\":\"Count\"}}],\"seriesParams\":[{\"show\":\"true\",\"type\":\"histogram\",\"mode\":\"stacked\",\"data\":{\"label\":\"Count\",\"id\":\"1\"},\"valueAxis\":\"ValueAxis-1\",\"drawLinesBetweenPoints\":true,\"showCircles\":true}],\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"times\":[],\"addTimeMarker\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_fqdn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"query_type.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"filter\":[{\"meta\":{\"index\":\"55140490-2411-11e9-8e51-330d470c740b0\",\"negate\":true,\"disabled\":true,\"alias\":null,\"type\":\"phrase\",\"key\":\"source_host.keyword\",\"value\":\"192.168.254.248\",\"params\":{\"query\":\"192.168.254.248\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"source_host.keyword\":{\"query\":\"192.168.254.248\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+ }
+ }
+ },
+ {
+ "_id": "27624920-3390-11e8-beb4-d7353bd14360",
+ "_type": "visualization",
+ "_source": {
+ "title": "DNS forward destinations - pihole",
+ "visState": "{\"title\":\"DNS forward destinations - pihole\",\"type\":\"pie\",\"params\":{\"type\":\"pie\",\"addTooltip\":true,\"addLegend\":true,\"legendPosition\":\"right\",\"isDonut\":true,\"labels\":{\"show\":true,\"values\":true,\"last_level\":true,\"truncate\":100}},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"host.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"dns_forward_to.keyword\",\"size\":5,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}}]}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+ }
+ }
+ },
+ {
+ "_id": "e611adc0-a203-11e8-8e9e-1d0e979ee6d4",
+ "_type": "visualization",
+ "_source": {
+ "title": "piholed percent - pihole",
+ "visState": "{\"title\":\"piholed percent - pihole\",\"type\":\"metrics\",\"params\":{\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"type\":\"gauge\",\"series\":[{\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"color\":\"#68BC00\",\"split_mode\":\"everything\",\"metrics\":[{\"id\":\"61ca57f2-469d-11e7-af02-69e470af7417\",\"type\":\"filter_ratio\",\"numerator\":\"tags:\\\"piholed\\\"\",\"denominator\":\"tags.keyword:\\\"request and query type\\\"\",\"metric_agg\":\"count\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"percent\",\"chart_type\":\"line\",\"line_width\":1,\"point_size\":1,\"fill\":0.5,\"stacked\":\"none\",\"value_template\":\"\"}],\"time_field\":\"@timestamp\",\"index_pattern\":\"*dns*\",\"interval\":\"auto\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"show_grid\":1,\"gauge_color_rules\":[{\"id\":\"14b76370-a201-11e8-a2be-75195e55158c\"}],\"gauge_width\":10,\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"bar_color_rules\":[{\"id\":\"c116e410-a201-11e8-a2be-75195e55158c\"}],\"background_color_rules\":[{\"id\":\"6fa17de0-a209-11e8-a2be-75195e55158c\"}],\"annotations\":[],\"axis_scale\":\"normal\"},\"aggs\":[]}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"query\":\"\",\"language\":\"kuery\"},\"filter\":[]}"
+ }
+ }
+ },
+ {
+ "_id": "25c8a840-27b2-11e9-8e51-330d470c740b",
+ "_type": "visualization",
+ "_source": {
+ "title": "DNS top domains - pihole",
+ "visState": "{\"title\":\"DNS top domains - pihole\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"domain_request.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"\",\"customLabel\":\"Top Domains\"}}]}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+ }
+ }
+ },
+ {
+ "_id": "8c6a0b10-34f2-11e8-beb4-d7353bd14360",
+ "_type": "visualization",
+ "_source": {
+ "title": "DNS top piholed domains - pihole",
+ "visState": "{\"title\":\"DNS top piholed domains - pihole\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"showTotal\":false,\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Count\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"blocked_domain.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Top Piholed Domains\"}}]}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"filter\":[],\"query\":{\"query\":\"\",\"language\":\"lucene\"}}"
+ }
+ }
+ },
+ {
+ "_id": "076c70c0-338e-11e8-beb4-d7353bd14360",
+ "_type": "visualization",
+ "_source": {
+ "title": "DNS requests per client - pihole",
+ "visState": "{\"title\":\"DNS requests per client - pihole\",\"type\":\"table\",\"params\":{\"perPage\":10,\"showPartialRows\":false,\"showTotal\":false,\"sort\":{\"columnIndex\":null,\"direction\":null},\"totalFunc\":\"sum\",\"showMetricsAtAllLevels\":false},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{\"customLabel\":\"Queries\"}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"bucket\",\"params\":{\"field\":\"source_fqdn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"customLabel\":\"Client IP\"}}]}",
+ "uiStateJSON": "{\"vis\":{\"params\":{\"sort\":{\"columnIndex\":null,\"direction\":null}}}}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"filter\":[],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+ }
+ }
+ },
+ {
+ "_id": "88d55340-338c-11e8-beb4-d7353bd14360",
+ "_type": "visualization",
+ "_source": {
+ "title": "DNS request/respone type - pihole",
+ "visState": "{\"title\":\"DNS request/respone type - pihole\",\"type\":\"histogram\",\"params\":{\"addLegend\":true,\"addTimeMarker\":false,\"addTooltip\":true,\"categoryAxes\":[{\"id\":\"CategoryAxis-1\",\"labels\":{\"show\":true,\"truncate\":100},\"position\":\"bottom\",\"scale\":{\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{},\"type\":\"category\"}],\"grid\":{\"categoryLines\":false,\"style\":{\"color\":\"#eee\"}},\"legendPosition\":\"right\",\"seriesParams\":[{\"data\":{\"id\":\"1\",\"label\":\"Count\"},\"drawLinesBetweenPoints\":true,\"mode\":\"stacked\",\"show\":\"true\",\"showCircles\":true,\"type\":\"histogram\",\"valueAxis\":\"ValueAxis-1\"}],\"times\":[],\"type\":\"histogram\",\"valueAxes\":[{\"id\":\"ValueAxis-1\",\"labels\":{\"filter\":false,\"rotate\":0,\"show\":true,\"truncate\":100},\"name\":\"LeftAxis-1\",\"position\":\"left\",\"scale\":{\"mode\":\"normal\",\"type\":\"linear\"},\"show\":true,\"style\":{},\"title\":{\"text\":\"Count\"},\"type\":\"value\"}]},\"aggs\":[{\"id\":\"1\",\"enabled\":true,\"type\":\"count\",\"schema\":\"metric\",\"params\":{}},{\"id\":\"2\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"segment\",\"params\":{\"field\":\"source_fqdn.keyword\",\"size\":10,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\"}},{\"id\":\"3\",\"enabled\":true,\"type\":\"terms\",\"schema\":\"group\",\"params\":{\"field\":\"tags.keyword\",\"size\":500,\"order\":\"desc\",\"orderBy\":\"1\",\"otherBucket\":false,\"otherBucketLabel\":\"Other\",\"missingBucket\":false,\"missingBucketLabel\":\"Missing\",\"exclude\":\"beats_input_codec_plain_applied|5141|pihole|_geoip_lookup_failure\"}}]}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"filter\":[{\"meta\":{\"index\":\"55140490-2411-11e9-8e51-330d470c740b\",\"negate\":true,\"disabled\":true,\"alias\":null,\"type\":\"phrase\",\"key\":\"source_host.keyword\",\"value\":\"192.168.254.248\",\"params\":{\"query\":\"192.168.254.248\",\"type\":\"phrase\"}},\"query\":{\"match\":{\"source_host.keyword\":{\"query\":\"192.168.254.248\",\"type\":\"phrase\"}}},\"$state\":{\"store\":\"appState\"}}],\"query\":{\"language\":\"lucene\",\"query\":\"\"}}"
+ }
+ }
+ },
+ {
+ "_id": "381275b0-34bc-11e8-beb4-d7353bd14360",
+ "_type": "visualization",
+ "_source": {
+ "title": "Requests vs piholed - pihole",
+ "visState": "{\"title\":\"Requests vs piholed - pihole\",\"type\":\"metrics\",\"params\":{\"id\":\"61ca57f0-469d-11e7-af02-69e470af7417\",\"type\":\"timeseries\",\"series\":[{\"id\":\"61ca57f1-469d-11e7-af02-69e470af7417\",\"color\":\"#68BC00\",\"split_mode\":\"filter\",\"metrics\":[{\"id\":\"a5cd5cd0-34be-11e8-a36f-6fd9911e50af\",\"type\":\"count\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":\"3\",\"point_size\":\"-1\",\"fill\":\"0.5\",\"stacked\":\"stacked\",\"terms_field\":\"query_type.keyword\",\"terms_order_by\":\"_count\",\"terms_size\":\"10\",\"filter\":\"tags:\\\"request and query type\\\"\",\"override_index_pattern\":0,\"split_color_mode\":\"gradient\",\"label\":\"Request Count\",\"offset_time\":\"\",\"series_drop_last_bucket\":1},{\"id\":\"b0e4bf30-34bb-11e8-806f-b37e16272205\",\"color\":\"rgba(244,78,59,1)\",\"split_mode\":\"filter\",\"metrics\":[{\"id\":\"b0e4bf31-34bb-11e8-806f-b37e16272205\",\"type\":\"count\"}],\"seperate_axis\":0,\"axis_position\":\"right\",\"formatter\":\"number\",\"chart_type\":\"line\",\"line_width\":\"1\",\"point_size\":1,\"fill\":\"1\",\"stacked\":\"stacked\",\"terms_field\":\"tags.keyword\",\"split_filters\":[{\"filter\":\"test\",\"label\":\"test 1\",\"color\":\"#68BC00\",\"id\":\"035358d0-34bc-11e8-806f-b37e16272205\"}],\"terms_order_by\":\"_count\",\"label\":\"Piholed Count\",\"filter\":\"tags:\\\"piholed\\\"\",\"steps\":0}],\"time_field\":\"@timestamp\",\"index_pattern\":\"*dns*\",\"interval\":\"auto\",\"axis_position\":\"left\",\"axis_formatter\":\"number\",\"show_legend\":1,\"show_grid\":1,\"background_color_rules\":[{\"id\":\"76bd8260-34bb-11e8-806f-b37e16272205\"}],\"bar_color_rules\":[{\"id\":\"7892dea0-34bb-11e8-806f-b37e16272205\"}],\"gauge_color_rules\":[{\"id\":\"79668250-34bb-11e8-806f-b37e16272205\"}],\"gauge_width\":10,\"gauge_inner_width\":10,\"gauge_style\":\"half\",\"annotations\":[{\"fields\":\"\",\"template\":\"\",\"index_pattern\":\"\",\"query_string\":\"\",\"id\":\"b09dc6f0-34c2-11e8-a36f-6fd9911e50af\",\"color\":\"#F00\",\"time_field\":\"@timestamp\",\"icon\":\"fa-tag\",\"ignore_global_filters\":1,\"ignore_panel_filters\":1}],\"ignore_global_filter\":0,\"axis_scale\":\"normal\"},\"aggs\":[]}",
+ "uiStateJSON": "{}",
+ "description": "",
+ "version": 1,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"language\":\"kuery\",\"query\":\"\"},\"filter\":[]}"
+ }
+ }
+ },
+ {
+ "_id": "fb953870-339e-11e8-beb4-d7353bd14360",
+ "_type": "dashboard",
+ "_source": {
+ "title": "DNS - pihole",
+ "hits": 0,
+ "description": "",
+ "panelsJSON": "[{\"embeddableConfig\":{\"vis\":{\"legendOpen\":true}},\"gridData\":{\"h\":14,\"i\":\"1\",\"w\":14,\"x\":0,\"y\":40},\"id\":\"27624920-3390-11e8-beb4-d7353bd14360\",\"panelIndex\":\"1\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":14,\"i\":\"2\",\"w\":12,\"x\":24,\"y\":40},\"id\":\"c60b2a70-339e-11e8-beb4-d7353bd14360\",\"panelIndex\":\"2\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"h\":16,\"i\":\"3\",\"w\":20,\"x\":0,\"y\":24},\"id\":\"88d55340-338c-11e8-beb4-d7353bd14360\",\"panelIndex\":\"3\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"h\":16,\"i\":\"4\",\"w\":9,\"x\":20,\"y\":24},\"id\":\"076c70c0-338e-11e8-beb4-d7353bd14360\",\"panelIndex\":\"4\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"h\":24,\"i\":\"6\",\"w\":48,\"x\":0,\"y\":0},\"id\":\"381275b0-34bc-11e8-beb4-d7353bd14360\",\"panelIndex\":\"6\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"h\":6,\"i\":\"7\",\"w\":5,\"x\":19,\"y\":48},\"id\":\"e7da3480-34f1-11e8-beb4-d7353bd14360\",\"panelIndex\":\"7\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"h\":6,\"i\":\"8\",\"w\":5,\"x\":14,\"y\":48},\"id\":\"bd5cd320-34f1-11e8-beb4-d7353bd14360\",\"panelIndex\":\"8\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"gridData\":{\"h\":16,\"i\":\"9\",\"w\":10,\"x\":29,\"y\":24},\"id\":\"8c6a0b10-34f2-11e8-beb4-d7353bd14360\",\"panelIndex\":\"9\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{\"vis\":{\"legendOpen\":false}},\"gridData\":{\"h\":14,\"i\":\"10\",\"w\":12,\"x\":36,\"y\":40},\"id\":\"91cada30-5e82-11e8-81db-f1525a738f45\",\"panelIndex\":\"10\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":8,\"i\":\"11\",\"w\":10,\"x\":14,\"y\":40},\"id\":\"e611adc0-a203-11e8-8e9e-1d0e979ee6d4\",\"panelIndex\":\"11\",\"type\":\"visualization\",\"version\":\"6.3.2\"},{\"embeddableConfig\":{},\"gridData\":{\"h\":16,\"i\":\"12\",\"w\":9,\"x\":39,\"y\":24},\"id\":\"25c8a840-27b2-11e9-8e51-330d470c740b\",\"panelIndex\":\"12\",\"type\":\"visualization\",\"version\":\"6.5.0\"}]",
+ "optionsJSON": "{\"darkTheme\":false,\"hidePanelTitles\":false,\"useMargins\":true}",
+ "version": 1,
+ "timeRestore": false,
+ "kibanaSavedObjectMeta": {
+ "searchSourceJSON": "{\"query\":{\"language\":\"lucene\",\"query\":\"\"},\"filter\":[],\"highlightAll\":true,\"version\":true}"
+ }
+ }
+ }
+]
\ No newline at end of file
diff --git a/etc/filebeat/filebeat.yml b/etc/filebeat/filebeat.yml
new file mode 100644
index 0000000000000000000000000000000000000000..4088a59bdff796c51ce4027d57b87700e3e132ab
--- /dev/null
+++ b/etc/filebeat/filebeat.yml
@@ -0,0 +1,18 @@
+filebeat:
+ prospectors:
+ -
+ paths:
+ - /var/log/pihole.log
+ input_type: log
+ registry_file: /var/lib/filebeat/registry
+
+output:
+ logstash:
+ hosts: ["<LOGSTASHHOST>:5141"]
+
+shipper:
+
+logging:
+ files:
+ rotateeverybytes: 10485760
+
diff --git a/patterns/dns b/patterns/dns
new file mode 100644
index 0000000000000000000000000000000000000000..4542562f9bd5c26f77897e6d1b4459081ad9bc21
--- /dev/null
+++ b/patterns/dns
@@ -0,0 +1,5 @@
+HOSTNAMEPTR \b(?:[\._0-9A-Za-z][0-9A-Za-z-]{0,62})(?:\.(?:[\._0-9A-Za-z][0-9A-Za-z-]{0,62}))*(\.?|\b)
+NODATA NODATA-[[:word:]]+
+SRV _+.+\S
+FQDN \b(?:[\w-][\w-]{0,62})(?:\.(?:[\w-][\w-]{0,62}))*(\.?|\b)
+DNSMASQPREFIX %{SYSLOGTIMESTAMP:date} %{SYSLOGPROG}: %{INT:logrow} %{IP:source_host}\/%{POSINT:source_port}
\ No newline at end of file