fix for https://github.com/nin9s/elk-hole/issues/29

b27fdead · 9S · GitHub · ec76d107 · b27fdead
Unverified Commit b27fdead authored 5 years ago by 9S Committed by GitHub 5 years ago
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -60,10 +60,10 @@ filter {
 "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
 # domain is no-DATA
 "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
- # SRV
- "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
- # SRV forwarded
- "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" ,
+ # PTR
+ #"^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
+ # PTR forwarded
+ #"^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" ,
 # SERVFAIL
 "^%{DNSMASQPREFIX} reply error is SERVFAIL"

@@ -165,10 +165,23 @@ filter {

      if [domain_request] {
        geoip {
+#          cache_size => "10000"
          source => "domain_request"
        }
      }

+      if [ip_response] {
+        mutate {
+          add_field => { "ip_or_domain_response" => "%{domain_request}" }
+        }
+      }
+
+      if [domain_response] {
+        mutate {
+          add_field => { "ip_or_domain_response" => "%{ip_request}" }
+        }
+      }
+
  mutate {
      add_field => {
        "[source_fqdn]" => "%{source_host}"
@@ -176,9 +189,10 @@ filter {
    }

    dns {
+      nameserver => "localhost"
      reverse => ["source_fqdn"]
      action => "replace"
-      hit_cache_size => 4096
+      hit_cache_size => 10000
      hit_cache_ttl => 900
      failed_cache_size => 512
      failed_cache_ttl => 900