Update 20-dns-syslog.conf

fixed incorrect matching of request and query type and response domain to ip

logstash/conf.d/20-dns-syslog.conf

@@ -74,13 +74,13 @@ filter {
 # to do cached and cached reverse
 
 
-      if [request_from] {
+      if [request_from] and [message] =~ "query" {
         mutate {
           add_tag => [ "request and query type" ]
         }
       }
 
-      else if [ip_response] {
+      else if [ip_response] and [message] =~ "reply" {
         geoip {
           source => "ip_response"
         }
@@ -174,7 +174,6 @@ filter {
     dns {
       reverse => ["source_fqdn"]
       action => "replace"					  
-#      nameserver => ["localhost"]
       hit_cache_size => 4096
       hit_cache_ttl => 900
       failed_cache_size => 512