From c5dda61a12c055ead23ec83b181e236b1e00f8da Mon Sep 17 00:00:00 2001 From: nin9s <strrrn@gmail.com> Date: Tue, 24 Sep 2019 20:13:12 +0200 Subject: [PATCH] Update 20-dns-syslog.conf fixed incorrect matching of request and query type and response domain to ip --- logstash/conf.d/20-dns-syslog.conf | 15 +++++++-------- 1 file changed, 7 insertions(+), 8 deletions(-) diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf index c473dd1..4aa838b 100644 --- a/logstash/conf.d/20-dns-syslog.conf +++ b/logstash/conf.d/20-dns-syslog.conf @@ -1,7 +1,7 @@ ################################################################# -# logstash parsing logic and tagging for elk-hole # -# created by n9nes # -# feel free to star the rep - https://github.com/nin9s/elk-hole # +# logstash parsing logic and tagging for elk-hole # +# created by n9nes # +# feel free to star the rep - https://github.com/nin9s/elk-hole # ################################################################# input { @@ -20,7 +20,7 @@ filter { match => { "message" => [ -# request - query type + # request - query type "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$", # reponse domain to ip "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$", @@ -74,13 +74,13 @@ filter { # to do cached and cached reverse - if [request_from] { + if [request_from] and [message] =~ "query" { mutate { add_tag => [ "request and query type" ] } } - else if [ip_response] { + else if [ip_response] and [message] =~ "reply" { geoip { source => "ip_response" } @@ -173,8 +173,7 @@ filter { dns { reverse => ["source_fqdn"] - action => "replace" -# nameserver => ["localhost"] + action => "replace" hit_cache_size => 4096 hit_cache_ttl => 900 failed_cache_size => 512 -- GitLab