diff --git a/dnsmasq.d/99-pihole-log-facility.conf b/dnsmasq.d/99-pihole-log-facility.conf
index 96e6d46f5fe67c9c3490fc8b4ab1db3d70f50758..12db8a76fb071cb0fc0d7460c48d237b07918ef9 100644
--- a/dnsmasq.d/99-pihole-log-facility.conf
+++ b/dnsmasq.d/99-pihole-log-facility.conf
@@ -1 +1,2 @@
+# settings to extra to be able to catch the ip of the requesting host
log-queries=extra
\ No newline at end of file
diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
index af2247cf48f278d0cb0ffa428e8b9387182510be..708fbb661aa83aea797e072612e6e17e2e05d8a2 100644
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -1,161 +1,182 @@
input {
- beats {
- port => 5141
- type => "logs"
- tags => ["pihole","5141"]
- }
+ beats {
+ port => 5141
+ type => "logs"
+ tags => ["pihole","5141"]
+ }
}
-filter {
- if "pihole" in [tags]{
- grok {
- patterns_dir => ["/etc/logstash/patterns/"]
- match => {
- "message" => [
-
-# request - query type
- "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
- # reponse domain to ip
- "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
- # response domain is NXDOMAIN
- "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NXDOMAIN$",
- # response config domain is NXDOMAIN
- "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NXDOMAIN$",
- # response config domain is no-DATA
- "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NODATA-IPv[4,6]$",
- # reponse domain to ip cname
- "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is \<CNAME\>$",
- # respone ip to domain
- "^%{DNSMASQPREFIX} reply %{IP:ip_request} is %{FQDN:domain_response}$",
- # piholed
- "^%{DNSMASQPREFIX} \/etc\/pihole\/gravity\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
- # piholed local
- "^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
- # blacklist
- "^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
- # reverse response etc hosts ip to domain
- "^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$",
- # reverse response etc hosts domain to ip
- "^%{DNSMASQPREFIX} \/etc\/hosts %{FQDN:domain_request} is %{IP:ip_response}$",
- # forward dns to
- "^%{DNSMASQPREFIX} forwarded %{FQDN:domain_request} to %{IP:dns_forward_to}$",
- # cached domain to ip
- "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is %{IP:ip_response}$",
- # cached ip to domain
- "^%{DNSMASQPREFIX} cached %{IP:ip_request} is %{FQDN:domain_response}$",
- # cached domain to ip cname
- "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is \<CNAME\>$",
- # cached domain is NXDOMAIN
- "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NXDOMAIN$",
- # cached domain is no-DATA
- "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
- # domain is no-DATA
- "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
- # SRV
- "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
- # SRV forwarded
- "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$"
+#################################################################################
- ]
- }
-}
+filter {
+ if "pihole" in [tags]{
+ grok {
+ patterns_dir => ["/etc/logstash/patterns/"]
+ match => { "message" => [
-# to do cached and cached reverse
+ # request - query type
+ "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
+
+ # reponse domain to ip
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
+
+ # response domain is NXDOMAIN
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NXDOMAIN$",
+
+ # response config domain is NXDOMAIN
+ "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NXDOMAIN$",
+
+ # response config domain is no-DATA
+ "^%{DNSMASQPREFIX} config %{FQDN:domain_request} is NODATA-IPv[4,6]$",
+
+ # reponse domain to ip cname
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is \<CNAME\>$",
+
+ # respone ip to domain
+ "^%{DNSMASQPREFIX} reply %{IP:ip_request} is %{FQDN:domain_response}$",
+
+ # piholed
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/gravity\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+
+ # piholed local
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+
+ # blacklist
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+
+ # reverse response etc hosts ip to domain
+ "^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$",
+
+ # reverse response etc hosts domain to ip
+ "^%{DNSMASQPREFIX} \/etc\/hosts %{FQDN:domain_request} is %{IP:ip_response}$",
+
+ # forward dns to
+ "^%{DNSMASQPREFIX} forwarded %{FQDN:domain_request} to %{IP:dns_forward_to}$",
+
+ # cached domain to ip
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is %{IP:ip_response}$",
+
+ # cached ip to domain
+ "^%{DNSMASQPREFIX} cached %{IP:ip_request} is %{FQDN:domain_response}$",
+
+ # cached domain to ip cname
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is \<CNAME\>$",
+
+ # cached domain is NXDOMAIN
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NXDOMAIN$",
+
+ # cached domain is no-DATA
+ "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
+
+ # domain is no-DATA
+ "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
+
+ # SRV
+ "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
+
+ # SRV forwarded
+ "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$"
+ ]
+ }
+ }
- if [request_from] {
- mutate {
- add_tag => [ "request and query type" ]
- }
- }
- else if [ip_response] {
- mutate {
- add_tag => [ "response domain to ip" ]
- }
- }
- else if [message] =~ "CNAME" and [message] =~ "reply" {
- mutate {
- add_tag => [ "response domain to ip CNAME" ]
- }
- }
- else if [domain_response] and [message] =~ "reply" {
- mutate {
- add_tag => [ "response ip to domain" ]
- }
- }
- else if [blocked_domain] {
- mutate {
- add_tag => [ "piholed" ]
- }
- }
- else if [message] =~ "\/etc\/hosts" {
- mutate {
- add_tag => [ "reverse hostsfile" ]
- }
- }
- else if [dns_forward_to] {
- mutate {
- add_tag => [ "dns forward" ]
- }
- }
- else if [ip_request] and [message] =~ "cached" {
- mutate {
- add_tag => [ "cached ip to domain" ]
- }
- }
- else if [domain_request] and [message] =~ "cached" {
- mutate {
- add_tag => [ "cached domain to ip" ]
- }
- }
- else if [message] =~ "cached" and [message] =~ "CNAME" {
- mutate {
- add_tag => [ "cached domain to ip cname" ]
- }
- }
- else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
- mutate {
- add_tag => [ "cached NXDOMAIN" ]
- }
- }
- else if [NODATA-IPv4] {
- mutate {
- add_tag => [ "NODATA" ]
- }
- }
- else if [NODATA-IPv6] {
- mutate {
- add_tag => [ "NODATA" ]
- }
- }
- mutate {
- add_field => {
- "[source_fqdn]" => "%{source_host}"
- }
- }
+ if [request_from] {
+ mutate {
+ add_tag => [ "request and query type" ]
+ }
+ }
+ else if [ip_response] {
+ mutate {
+ add_tag => [ "response domain to ip" ]
+ }
+ }
+ else if [message] =~ "CNAME" and [message] =~ "reply" {
+ mutate {
+ add_tag => [ "response domain to ip CNAME" ]
+ }
+ }
+ else if [domain_response] and [message] =~ "reply" {
+ mutate {
+ add_tag => [ "response ip to domain" ]
+ }
+ }
+ else if [blocked_domain] {
+ mutate {
+ add_tag => [ "piholed" ]
+ }
+ }
+ else if [message] =~ "\/etc\/hosts" {
+ mutate {
+ add_tag => [ "reverse hostsfile" ]
+ }
+ }
+ else if [dns_forward_to] {
+ mutate {
+ add_tag => [ "dns forward" ]
+ }
+ }
+ else if [ip_request] and [message] =~ "cached" {
+ mutate {
+ add_tag => [ "cached ip to domain" ]
+ }
+ }
+ else if [domain_request] and [message] =~ "cached" {
+ mutate {
+ add_tag => [ "cached domain to ip" ]
+ }
+ }
+ else if [message] =~ "cached" and [message] =~ "CNAME" {
+ mutate {
+ add_tag => [ "cached domain to ip cname" ]
+ }
+ }
+ else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
+ mutate {
+ add_tag => [ "cached NXDOMAIN" ]
+ }
+ }
+ else if [NODATA-IPv4] {
+ mutate {
+ add_tag => [ "NODATA" ]
+ }
+ }
+ else if [NODATA-IPv6] {
+ mutate {
+ add_tag => [ "NODATA" ]
+ }
+ }
- dns {
- reverse => ["source_fqdn"]
- action => "replace"
- nameserver => ["localhost"]
- hit_cache_size => 4096
- hit_cache_ttl => 900
- failed_cache_size => 512
- failed_cache_ttl => 900
- }
+ mutate {
+ add_field => {
+ "[source_fqdn]" => "%{source_host}"
+ }
+ }
+
+ dns {
+ reverse => ["source_fqdn"]
+ action => "replace"
+ nameserver => ["localhost"]
+ hit_cache_size => 4096
+ hit_cache_ttl => 900
+ failed_cache_size => 512
+ failed_cache_ttl => 900
+ }
- }
+ }
}
+#################################################################################
+
output {
- if "pihole" in [tags]{
- elasticsearch {
- # ELASTICSEARCHHOST:PORT
+ if "pihole" in [tags]{
+ elasticsearch {
+ # ELASTICSEARCHHOST:PORT - CHANGE TO MATCH YOUR ELASTICSEARCH IP ADDRESS
hosts => ["127.0.0.1:9200"]
manage_template => false
index => "logstash-syslog-dns-%{+YYYY.MM}"
- }
- }
+ }
+ }
}
\ No newline at end of file