From ec76d1076945e75eddf3158e5688cbf378e95217 Mon Sep 17 00:00:00 2001
From: 9S <strrrn@gmail.com>
Date: Sat, 16 Nov 2019 15:57:30 +0100
Subject: [PATCH] Update 20-dns-syslog.conf
added geo_ip lookups for all possible events
---
logstash/conf.d/20-dns-syslog.conf | 107 +++++++++++++++++++----------
1 file changed, 71 insertions(+), 36 deletions(-)
diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
index 3180566..2abf073 100644
--- a/logstash/conf.d/20-dns-syslog.conf
+++ b/logstash/conf.d/20-dns-syslog.conf
@@ -1,3 +1,9 @@
+#################################################################
+# logstash parsing logic and tagging for elk-hole #
+# created by n9nes #
+# feel free to star the rep - https://github.com/nin9s/elk-hole #
+#################################################################
+
input {
beats {
port => 5141
@@ -7,18 +13,14 @@ input {
}
filter {
-
- date {
- match => [ "date", "MMM d HH:mm:ss" ]
- }
- if "pihole" in [tags]{
+ if "pihole" in [tags] {
grok {
patterns_dir => ["/etc/logstash/patterns/"]
match => {
"message" => [
-
-# request - query type
+
+ # request - query type
"^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
# reponse domain to ip
"^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
@@ -38,6 +40,8 @@ filter {
"^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
# blacklist
"^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+ # regex
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/regex\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
# reverse response etc hosts ip to domain
"^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$",
# reverse response etc hosts domain to ip
@@ -59,7 +63,9 @@ filter {
# SRV
"^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
# SRV forwarded
- "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$"
+ "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" ,
+ # SERVFAIL
+ "^%{DNSMASQPREFIX} reply error is SERVFAIL"
]
}
@@ -67,13 +73,31 @@ filter {
# to do cached and cached reverse
+ if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
+ mutate {
+ add_tag => [ "cached NXDOMAIN" ]
+ }
+ }
- if [request_from] {
+ else if [NODATA-IPv4] {
+ mutate {
+ add_tag => [ "NODATA" ]
+ }
+ }
+
+ else if [NODATA-IPv6] {
+ mutate {
+ add_tag => [ "NODATA" ]
+ }
+ }
+
+ else if [request_from] and [message] =~ "query" {
mutate {
add_tag => [ "request and query type" ]
}
}
- else if [ip_response] {
+
+ else if [ip_response] and [message] =~ "reply" {
geoip {
source => "ip_response"
}
@@ -81,62 +105,70 @@ filter {
add_tag => [ "response domain to ip" ]
}
}
+
else if [message] =~ "CNAME" and [message] =~ "reply" {
mutate {
add_tag => [ "response domain to ip CNAME" ]
}
}
+
else if [domain_response] and [message] =~ "reply" {
mutate {
add_tag => [ "response ip to domain" ]
}
+ geoip {
+ source => "ip_request"
+ }
}
+
else if [blocked_domain] {
mutate {
add_tag => [ "piholed" ]
}
}
+
else if [message] =~ "\/etc\/hosts" {
mutate {
add_tag => [ "reverse hostsfile" ]
}
}
+
else if [dns_forward_to] {
mutate {
add_tag => [ "dns forward" ]
}
}
+
else if [ip_request] and [message] =~ "cached" {
mutate {
add_tag => [ "cached ip to domain" ]
}
- }
- else if [domain_request] and [message] =~ "cached" {
- mutate {
- add_tag => [ "cached domain to ip" ]
+ geoip {
+ source => "ip_request"
}
}
- else if [message] =~ "cached" and [message] =~ "CNAME" {
+
+ else if [domain_request] and [message] =~ "cached" and [message] =~ "CNAME" {
mutate {
add_tag => [ "cached domain to ip cname" ]
}
}
- else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
- mutate {
- add_tag => [ "cached NXDOMAIN" ]
- }
- }
- else if [NODATA-IPv4] {
+
+ else if [domain_request] and [message] =~ "cached" {
mutate {
- add_tag => [ "NODATA" ]
+ add_tag => [ "cached domain to ip" ]
}
- }
- else if [NODATA-IPv6] {
- mutate {
- add_tag => [ "NODATA" ]
+ geoip {
+ source => "ip_response"
}
}
+ if [domain_request] {
+ geoip {
+ source => "domain_request"
+ }
+ }
+
mutate {
add_field => {
"[source_fqdn]" => "%{source_host}"
@@ -146,7 +178,6 @@ filter {
dns {
reverse => ["source_fqdn"]
action => "replace"
- nameserver => ["localhost"]
hit_cache_size => 4096
hit_cache_ttl => 900
failed_cache_size => 512
@@ -154,17 +185,21 @@ filter {
}
+ date {
+ match => [ "date", "MMM d HH:mm:ss","MMM dd HH:mm:ss" ]
+ }
+
}
}
+
output {
- if "pihole" in [tags]{
- elasticsearch {
- hosts => ["192.168.254.248:9200"]
- user => "elastic"
- password => "Service.1"
- manage_template => false
- index => "logstash-syslog-dns-%{+YYYY.MM}"
- }
- }
+# stdout { codec => rubydebug }
+ if "pihole" in [tags]{
+ elasticsearch {
+ hosts => ["monitoring.unimatrix01.local:9200"]
+ manage_template => false
+ index => "logstash-syslog-dns-%{+YYYY.MM}"
+ }
+ }
}
--
GitLab