fix for https://github.com/nin9s/elk-hole/issues/29

logstash/conf.d/20-dns-syslog.conf

@@ -60,10 +60,10 @@ filter {
  "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
  # domain is no-DATA
  "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
- # SRV
- "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
- # SRV forwarded
- "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" ,
+ # PTR
+ #"^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
+ # PTR forwarded
+ #"^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" ,
  # SERVFAIL
  "^%{DNSMASQPREFIX} reply error is SERVFAIL"
 
@@ -165,10 +165,23 @@ filter {
 
       if [domain_request] {
         geoip {
+#          cache_size => "10000"
           source => "domain_request"
         }
       }
 
+      if [ip_response] {
+        mutate {
+          add_field => { "ip_or_domain_response" => "%{domain_request}" }
+        }
+      }
+
+      if [domain_response] {
+        mutate {
+          add_field => { "ip_or_domain_response" => "%{ip_request}" }
+        }
+      }
+
   mutate {
       add_field => {
         "[source_fqdn]" => "%{source_host}"
@@ -176,9 +189,10 @@ filter {
     }
 
     dns {
+      nameserver => "localhost"
       reverse => ["source_fqdn"]
       action => "replace"
-      hit_cache_size => 4096
+      hit_cache_size => 10000
       hit_cache_ttl => 900
       failed_cache_size => 512
       failed_cache_ttl => 900