diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf index 2abf07318433aa011cb1ccef6ed780bde3d59720..c63c31277c43723679a7cae8d53c747f3f8d0a19 100644 --- a/logstash/conf.d/20-dns-syslog.conf +++ b/logstash/conf.d/20-dns-syslog.conf @@ -60,10 +60,10 @@ filter { "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$", # domain is no-DATA "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$", - # SRV - "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$", - # SRV forwarded - "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" , + # PTR + #"^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$", + # PTR forwarded + #"^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" , # SERVFAIL "^%{DNSMASQPREFIX} reply error is SERVFAIL" @@ -165,10 +165,23 @@ filter { if [domain_request] { geoip { +# cache_size => "10000" source => "domain_request" - } + } + } + + if [ip_response] { + mutate { + add_field => { "ip_or_domain_response" => "%{domain_request}" } + } } - + + if [domain_response] { + mutate { + add_field => { "ip_or_domain_response" => "%{ip_request}" } + } + } + mutate { add_field => { "[source_fqdn]" => "%{source_host}" @@ -176,9 +189,10 @@ filter { } dns { + nameserver => "localhost" reverse => ["source_fqdn"] action => "replace" - hit_cache_size => 4096 + hit_cache_size => 10000 hit_cache_ttl => 900 failed_cache_size => 512 failed_cache_ttl => 900