From b27fdead0553fd45972eefaadd32923e062c70a6 Mon Sep 17 00:00:00 2001
From: 9S <strrrn@gmail.com>
Date: Sat, 23 Nov 2019 19:46:42 +0100
Subject: [PATCH] fix for https://github.com/nin9s/elk-hole/issues/29
---
logstash/conf.d/20-dns-syslog.conf | 28 +++++++++++++++++++++-------
1 file changed, 21 insertions(+), 7 deletions(-)
diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
index 2abf073..c63c312 100644
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -60,10 +60,10 @@ filter {
"^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
# domain is no-DATA
"^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
- # SRV
- "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
- # SRV forwarded
- "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" ,
+ # PTR
+ #"^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
+ # PTR forwarded
+ #"^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" ,
# SERVFAIL
"^%{DNSMASQPREFIX} reply error is SERVFAIL"
@@ -165,10 +165,23 @@ filter {
if [domain_request] {
geoip {
+# cache_size => "10000"
source => "domain_request"
- }
+ }
+ }
+
+ if [ip_response] {
+ mutate {
+ add_field => { "ip_or_domain_response" => "%{domain_request}" }
+ }
}
-
+
+ if [domain_response] {
+ mutate {
+ add_field => { "ip_or_domain_response" => "%{ip_request}" }
+ }
+ }
+
mutate {
add_field => {
"[source_fqdn]" => "%{source_host}"
@@ -176,9 +189,10 @@ filter {
}
dns {
+ nameserver => "localhost"
reverse => ["source_fqdn"]
action => "replace"
- hit_cache_size => 4096
+ hit_cache_size => 10000
hit_cache_ttl => 900
failed_cache_size => 512
failed_cache_ttl => 900
--
GitLab