diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf index 14516620af936ff48fbcf7275b2fdd1242eeffc0..e45a65e78c59053d72573ef14d96fe96b08a29c4 100644 --- a/logstash/conf.d/20-dns-syslog.conf +++ b/logstash/conf.d/20-dns-syslog.conf @@ -131,18 +131,20 @@ filter { } } - else if [domain_request] and [message] =~ "cached" { + + + else if [message] =~ "cached" and [message] =~ "CNAME" { mutate { - add_tag => [ "cached domain to ip" ] - } - geoip { - source => "ip_response" + add_tag => [ "cached domain to ip cname" ] } } - else if [message] =~ "cached" and [message] =~ "CNAME" { + else if [domain_request] and [message] =~ "cached" { mutate { - add_tag => [ "cached domain to ip cname" ] + add_tag => [ "cached domain to ip" ] + } + geoip { + source => "ip_response" } }