From ec76d1076945e75eddf3158e5688cbf378e95217 Mon Sep 17 00:00:00 2001
From: 9S <strrrn@gmail.com>
Date: Sat, 16 Nov 2019 15:57:30 +0100
Subject: [PATCH] Update 20-dns-syslog.conf

added geo_ip lookups for all possible events
---
 logstash/conf.d/20-dns-syslog.conf | 107 +++++++++++++++++++----------
 1 file changed, 71 insertions(+), 36 deletions(-)

diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
index 3180566..2abf073 100644
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -1,3 +1,9 @@
+#################################################################
+# logstash parsing logic and tagging for elk-hole               #
+# created by n9nes                                              #
+# feel free to star the rep - https://github.com/nin9s/elk-hole #
+#################################################################
+
 input {
        beats {
        port => 5141
@@ -7,18 +13,14 @@ input {
 }
 
 filter {
-  
-  date {
-      match => [ "date", "MMM  d HH:mm:ss" ]
-  }
 
-  if "pihole" in [tags]{
+  if "pihole" in [tags] {
     grok {
       patterns_dir => ["/etc/logstash/patterns/"]
       match => {
                 "message" => [
-          
-# request - query type
+
+ # request - query type
  "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
  # reponse domain to ip
  "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
@@ -38,6 +40,8 @@ filter {
  "^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
  # blacklist
  "^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+ # regex
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/regex\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
  # reverse response etc hosts ip to domain
  "^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$",
  # reverse response etc hosts domain to ip
@@ -59,7 +63,9 @@ filter {
  # SRV
  "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
  # SRV forwarded
- "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" 
+ "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" ,
+ # SERVFAIL
+ "^%{DNSMASQPREFIX} reply error is SERVFAIL"
 
                   ]
       }
@@ -67,13 +73,31 @@ filter {
 
 # to do cached and cached reverse
 
+      if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
+        mutate {
+          add_tag => [ "cached NXDOMAIN" ]
+        }
+      }
 
-      if [request_from] {
+      else if [NODATA-IPv4] {
+        mutate {
+          add_tag => [ "NODATA" ]
+        }
+      }
+
+      else if [NODATA-IPv6] {
+        mutate {
+          add_tag => [ "NODATA" ]
+        }
+      }
+
+      else if [request_from] and [message] =~ "query" {
         mutate {
           add_tag => [ "request and query type" ]
         }
       }
-      else if [ip_response] {
+
+      else if [ip_response] and [message] =~ "reply" {
         geoip {
           source => "ip_response"
         }
@@ -81,62 +105,70 @@ filter {
           add_tag => [ "response domain to ip" ]
         }
       }
+
       else if [message] =~ "CNAME" and [message] =~ "reply" {
         mutate {
           add_tag => [ "response domain to ip CNAME" ]
         }
       }
+
       else if [domain_response] and [message] =~ "reply" {
         mutate {
           add_tag => [ "response ip to domain" ]
         }
+        geoip {
+          source => "ip_request"
+        }
       }
+
       else if [blocked_domain] {
         mutate {
           add_tag => [ "piholed" ]
         }
       }
+
       else if [message] =~ "\/etc\/hosts" {
         mutate {
           add_tag => [ "reverse hostsfile" ]
         }
       }
+
       else if [dns_forward_to] {
         mutate {
           add_tag => [ "dns forward" ]
         }
       }
+
       else if [ip_request] and [message] =~ "cached" {
         mutate {
           add_tag => [ "cached ip to domain" ]
         }
-      }
-      else if [domain_request] and [message] =~ "cached" {
-        mutate {
-          add_tag => [ "cached domain to ip" ]
+        geoip {
+          source => "ip_request"
         }
       }
-      else if [message] =~ "cached" and [message] =~ "CNAME" {
+
+      else if [domain_request] and [message] =~ "cached" and [message] =~ "CNAME" {
         mutate {
           add_tag => [ "cached domain to ip cname" ]
         }
       }
-      else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
-        mutate {
-          add_tag => [ "cached NXDOMAIN" ]
-        }
-      }
-      else if [NODATA-IPv4] {
+
+      else if [domain_request] and [message] =~ "cached" {
         mutate {
-          add_tag => [ "NODATA" ]
+          add_tag => [ "cached domain to ip" ]
         }
-      }
-      else if [NODATA-IPv6] {
-        mutate {
-          add_tag => [ "NODATA" ]
+        geoip {
+          source => "ip_response"
         }
       }
 
+      if [domain_request] {
+        geoip {
+          source => "domain_request"
+        }               
+      }
+ 
   mutate {
       add_field => {
         "[source_fqdn]" => "%{source_host}"
@@ -146,7 +178,6 @@ filter {
     dns {
       reverse => ["source_fqdn"]
       action => "replace"
-      nameserver => ["localhost"]
       hit_cache_size => 4096
       hit_cache_ttl => 900
       failed_cache_size => 512
@@ -154,17 +185,21 @@ filter {
     }
 
 
+  date {
+    match => [ "date", "MMM  d HH:mm:ss","MMM dd HH:mm:ss" ]
+  }
+
   }
 }
 
+
 output {
-  if "pihole" in [tags]{
-      elasticsearch {
-            hosts => ["192.168.254.248:9200"]
-            user => "elastic"
-            password => "Service.1"
-            manage_template => false
-            index => "logstash-syslog-dns-%{+YYYY.MM}"
-  }
- }
+#       stdout { codec => rubydebug }
+        if "pihole" in [tags]{
+                elasticsearch {
+                        hosts => ["monitoring.unimatrix01.local:9200"]
+                        manage_template => false
+                        index => "logstash-syslog-dns-%{+YYYY.MM}"
+                }
+        }
 }
-- 
GitLab