From ec76d1076945e75eddf3158e5688cbf378e95217 Mon Sep 17 00:00:00 2001 From: 9S <strrrn@gmail.com> Date: Sat, 16 Nov 2019 15:57:30 +0100 Subject: [PATCH] Update 20-dns-syslog.conf added geo_ip lookups for all possible events --- logstash/conf.d/20-dns-syslog.conf | 107 +++++++++++++++++++---------- 1 file changed, 71 insertions(+), 36 deletions(-) diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf index 3180566..2abf073 100644 --- a/logstash/conf.d/20-dns-syslog.conf +++ b/logstash/conf.d/20-dns-syslog.conf @@ -1,3 +1,9 @@ +################################################################# +# logstash parsing logic and tagging for elk-hole # +# created by n9nes # +# feel free to star the rep - https://github.com/nin9s/elk-hole # +################################################################# + input { beats { port => 5141 @@ -7,18 +13,14 @@ input { } filter { - - date { - match => [ "date", "MMM d HH:mm:ss" ] - } - if "pihole" in [tags]{ + if "pihole" in [tags] { grok { patterns_dir => ["/etc/logstash/patterns/"] match => { "message" => [ - -# request - query type + + # request - query type "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$", # reponse domain to ip "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$", @@ -38,6 +40,8 @@ filter { "^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$", # blacklist "^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$", + # regex + "^%{DNSMASQPREFIX} \/etc\/pihole\/regex\.list %{FQDN:blocked_domain} is %{IP:pihole}$", # reverse response etc hosts ip to domain "^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$", # reverse response etc hosts domain to ip @@ -59,7 +63,9 @@ filter { # SRV "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$", # SRV forwarded - "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" + "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" , + # SERVFAIL + "^%{DNSMASQPREFIX} reply error is SERVFAIL" ] } @@ -67,13 +73,31 @@ filter { # to do cached and cached reverse + if [message] =~ "cached" and [message] =~ "NXDOMAIN" { + mutate { + add_tag => [ "cached NXDOMAIN" ] + } + } - if [request_from] { + else if [NODATA-IPv4] { + mutate { + add_tag => [ "NODATA" ] + } + } + + else if [NODATA-IPv6] { + mutate { + add_tag => [ "NODATA" ] + } + } + + else if [request_from] and [message] =~ "query" { mutate { add_tag => [ "request and query type" ] } } - else if [ip_response] { + + else if [ip_response] and [message] =~ "reply" { geoip { source => "ip_response" } @@ -81,62 +105,70 @@ filter { add_tag => [ "response domain to ip" ] } } + else if [message] =~ "CNAME" and [message] =~ "reply" { mutate { add_tag => [ "response domain to ip CNAME" ] } } + else if [domain_response] and [message] =~ "reply" { mutate { add_tag => [ "response ip to domain" ] } + geoip { + source => "ip_request" + } } + else if [blocked_domain] { mutate { add_tag => [ "piholed" ] } } + else if [message] =~ "\/etc\/hosts" { mutate { add_tag => [ "reverse hostsfile" ] } } + else if [dns_forward_to] { mutate { add_tag => [ "dns forward" ] } } + else if [ip_request] and [message] =~ "cached" { mutate { add_tag => [ "cached ip to domain" ] } - } - else if [domain_request] and [message] =~ "cached" { - mutate { - add_tag => [ "cached domain to ip" ] + geoip { + source => "ip_request" } } - else if [message] =~ "cached" and [message] =~ "CNAME" { + + else if [domain_request] and [message] =~ "cached" and [message] =~ "CNAME" { mutate { add_tag => [ "cached domain to ip cname" ] } } - else if [message] =~ "cached" and [message] =~ "NXDOMAIN" { - mutate { - add_tag => [ "cached NXDOMAIN" ] - } - } - else if [NODATA-IPv4] { + + else if [domain_request] and [message] =~ "cached" { mutate { - add_tag => [ "NODATA" ] + add_tag => [ "cached domain to ip" ] } - } - else if [NODATA-IPv6] { - mutate { - add_tag => [ "NODATA" ] + geoip { + source => "ip_response" } } + if [domain_request] { + geoip { + source => "domain_request" + } + } + mutate { add_field => { "[source_fqdn]" => "%{source_host}" @@ -146,7 +178,6 @@ filter { dns { reverse => ["source_fqdn"] action => "replace" - nameserver => ["localhost"] hit_cache_size => 4096 hit_cache_ttl => 900 failed_cache_size => 512 @@ -154,17 +185,21 @@ filter { } + date { + match => [ "date", "MMM d HH:mm:ss","MMM dd HH:mm:ss" ] + } + } } + output { - if "pihole" in [tags]{ - elasticsearch { - hosts => ["192.168.254.248:9200"] - user => "elastic" - password => "Service.1" - manage_template => false - index => "logstash-syslog-dns-%{+YYYY.MM}" - } - } +# stdout { codec => rubydebug } + if "pihole" in [tags]{ + elasticsearch { + hosts => ["monitoring.unimatrix01.local:9200"] + manage_template => false + index => "logstash-syslog-dns-%{+YYYY.MM}" + } + } } -- GitLab