From b5e2df2a7e417040bb8f97a75f2d0e63302a8a18 Mon Sep 17 00:00:00 2001
From: 9S <strrrn@gmail.com>
Date: Fri, 22 Feb 2019 18:57:57 +0100
Subject: [PATCH] Delete 20-dns-syslog.conf
---
conf.d/20-dns-syslog.conf | 162 --------------------------------------
1 file changed, 162 deletions(-)
delete mode 100644 conf.d/20-dns-syslog.conf
diff --git a/conf.d/20-dns-syslog.conf b/conf.d/20-dns-syslog.conf
deleted file mode 100644
index 84958d3..0000000
--- a/conf.d/20-dns-syslog.conf
+++ /dev/null
@@ -1,162 +0,0 @@
-input {
- beats {
- port => 5141
- type => "logs"
- tags => ["pihole","5141"]
- }
-}
-
-filter {
- if "pihole" in [tags]{
- grok {
- patterns_dir => ["/etc/logstash/patterns/"]
- match => {
- "message" => [
-
-# request - query type
- "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
- # reponse domain to ip
- "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
- # response domain is NXDOMAIN
- "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NXDOMAIN$",
- # response config domain is NXDOMAIN
- "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NXDOMAIN$",
- # response config domain is no-DATA
- "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NODATA-IPv[4,6]$",
- # reponse domain to ip cname
- "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is \<CNAME\>$",
- # respone ip to domain
- "^%{DNSMASQPREFIX} reply %{IP:ip_request} is %{FQDN:domain_response}$",
- # piholed
- "^%{DNSMASQPREFIX} \/etc\/pihole\/gravity\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
- # piholed local
- "^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
- # blacklist
- "^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
- # reverse response etc hosts ip to domain
- "^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$",
- # reverse response etc hosts domain to ip
- "^%{DNSMASQPREFIX} \/etc\/hosts %{FQDN:domain_request} is %{IP:ip_response}$",
- # forward dns to
- "^%{DNSMASQPREFIX} forwarded %{FQDN:domain_request} to %{IP:dns_forward_to}$",
- # cached domain to ip
- "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is %{IP:ip_response}$",
- # cached ip to domain
- "^%{DNSMASQPREFIX} cached %{IP:ip_request} is %{FQDN:domain_response}$",
- # cached domain to ip cname
- "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is \<CNAME\>$",
- # cached domain is NXDOMAIN
- "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NXDOMAIN$",
- # cached domain is no-DATA
- "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
- # domain is no-DATA
- "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
- # SRV
- "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
- # SRV forwarded
- "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$"
-
- ]
- }
-}
-
-# to do cached and cached reverse
-
-
- if [request_from] {
- mutate {
- add_tag => [ "request and query type" ]
- }
- }
- else if [ip_response] {
- mutate {
- add_tag => [ "response domain to ip" ]
- }
- }
- else if [message] =~ "CNAME" and [message] =~ "reply" {
- mutate {
- add_tag => [ "response domain to ip CNAME" ]
- }
- }
- else if [domain_response] and [message] =~ "reply" {
- mutate {
- add_tag => [ "response ip to domain" ]
- }
- }
- else if [blocked_domain] {
- mutate {
- add_tag => [ "piholed" ]
- }
- }
- else if [message] =~ "\/etc\/hosts" {
- mutate {
- add_tag => [ "reverse hostsfile" ]
- }
- }
- else if [dns_forward_to] {
- mutate {
- add_tag => [ "dns forward" ]
- }
- }
- else if [ip_request] and [message] =~ "cached" {
- mutate {
- add_tag => [ "cached ip to domain" ]
- }
- }
- else if [domain_request] and [message] =~ "cached" {
- mutate {
- add_tag => [ "cached domain to ip" ]
- }
- }
- else if [message] =~ "cached" and [message] =~ "CNAME" {
- mutate {
- add_tag => [ "cached domain to ip cname" ]
- }
- }
- else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
- mutate {
- add_tag => [ "cached NXDOMAIN" ]
- }
- }
- else if [NODATA-IPv4] {
- mutate {
- add_tag => [ "NODATA" ]
- }
- }
- else if [NODATA-IPv6] {
- mutate {
- add_tag => [ "NODATA" ]
- }
- }
-
-
- mutate {
- add_field => {
- "[source_fqdn]" => "%{source_host}"
- }
- }
-
- dns {
- reverse => ["source_fqdn"]
- action => "replace"
- nameserver => ["localhost"]
- hit_cache_size => 4096
- hit_cache_ttl => 900
- failed_cache_size => 512
- failed_cache_ttl => 900
- }
-
-
- }
-}
-
-output {
-
- if "pihole" in [tags]{
- elasticsearch {
- hosts => ["<ELASTICSEARCHHOST:PORT>"]
- manage_template => false
- index => "logstash-syslog-dns-%{+YYYY.MM}"
- }
- }
-}
\ No newline at end of file
--
GitLab