From c5dda61a12c055ead23ec83b181e236b1e00f8da Mon Sep 17 00:00:00 2001
From: nin9s <strrrn@gmail.com>
Date: Tue, 24 Sep 2019 20:13:12 +0200
Subject: [PATCH] Update 20-dns-syslog.conf

fixed incorrect matching of request and query type and response domain to ip
---
 logstash/conf.d/20-dns-syslog.conf | 15 +++++++--------
 1 file changed, 7 insertions(+), 8 deletions(-)

diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
index c473dd1..4aa838b 100644
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -1,7 +1,7 @@
 #################################################################
-# logstash parsing logic and tagging for elk-hole				#
-# created by n9nes												#
-# feel free to star the rep - https://github.com/nin9s/elk-hole	#
+# logstash parsing logic and tagging for elk-hole               #
+# created by n9nes                                              #
+# feel free to star the rep - https://github.com/nin9s/elk-hole #
 #################################################################
 
 input {
@@ -20,7 +20,7 @@ filter {
       match => {
                 "message" => [
 
-# request - query type
+ # request - query type
  "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
  # reponse domain to ip
  "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
@@ -74,13 +74,13 @@ filter {
 # to do cached and cached reverse
 
 
-      if [request_from] {
+      if [request_from] and [message] =~ "query" {
         mutate {
           add_tag => [ "request and query type" ]
         }
       }
 
-      else if [ip_response] {
+      else if [ip_response] and [message] =~ "reply" {
         geoip {
           source => "ip_response"
         }
@@ -173,8 +173,7 @@ filter {
 
     dns {
       reverse => ["source_fqdn"]
-      action => "replace"
-#      nameserver => ["localhost"]
+      action => "replace"					  
       hit_cache_size => 4096
       hit_cache_ttl => 900
       failed_cache_size => 512
-- 
GitLab