Private GIT

Skip to content
Snippets Groups Projects
Commit f582b798 authored by nin9s's avatar nin9s
Browse files

Update 20-dns-syslog.conf

tweaked heatmap filtering for relevant request types.
parent 226df98b
No related branches found
No related tags found
No related merge requests found
...@@ -14,11 +14,6 @@ input { ...@@ -14,11 +14,6 @@ input {
filter { filter {
date {
match => [ "date", "MMM d HH:mm:ss" ]
}
if "pihole" in [tags]{ if "pihole" in [tags]{
grok { grok {
patterns_dir => ["/etc/logstash/patterns/"] patterns_dir => ["/etc/logstash/patterns/"]
...@@ -84,6 +79,7 @@ filter { ...@@ -84,6 +79,7 @@ filter {
add_tag => [ "request and query type" ] add_tag => [ "request and query type" ]
} }
} }
else if [ip_response] { else if [ip_response] {
geoip { geoip {
source => "ip_response" source => "ip_response"
...@@ -92,62 +88,83 @@ filter { ...@@ -92,62 +88,83 @@ filter {
add_tag => [ "response domain to ip" ] add_tag => [ "response domain to ip" ]
} }
} }
else if [message] =~ "CNAME" and [message] =~ "reply" { else if [message] =~ "CNAME" and [message] =~ "reply" {
mutate { mutate {
add_tag => [ "response domain to ip CNAME" ] add_tag => [ "response domain to ip CNAME" ]
} }
} }
else if [domain_response] and [message] =~ "reply" { else if [domain_response] and [message] =~ "reply" {
mutate { mutate {
add_tag => [ "response ip to domain" ] add_tag => [ "response ip to domain" ]
} }
geoip {
source => "ip_request"
}
} }
else if [blocked_domain] { else if [blocked_domain] {
mutate { mutate {
add_tag => [ "piholed" ] add_tag => [ "piholed" ]
} }
} }
else if [message] =~ "\/etc\/hosts" { else if [message] =~ "\/etc\/hosts" {
mutate { mutate {
add_tag => [ "reverse hostsfile" ] add_tag => [ "reverse hostsfile" ]
} }
} }
else if [dns_forward_to] { else if [dns_forward_to] {
mutate { mutate {
add_tag => [ "dns forward" ] add_tag => [ "dns forward" ]
} }
} }
else if [ip_request] and [message] =~ "cached" { else if [ip_request] and [message] =~ "cached" {
mutate { mutate {
add_tag => [ "cached ip to domain" ] add_tag => [ "cached ip to domain" ]
} }
geoip {
source => "ip_request"
} }
}
else if [domain_request] and [message] =~ "cached" { else if [domain_request] and [message] =~ "cached" {
mutate { mutate {
add_tag => [ "cached domain to ip" ] add_tag => [ "cached domain to ip" ]
} }
geoip {
source => "ip_response"
} }
}
else if [message] =~ "cached" and [message] =~ "CNAME" { else if [message] =~ "cached" and [message] =~ "CNAME" {
mutate { mutate {
add_tag => [ "cached domain to ip cname" ] add_tag => [ "cached domain to ip cname" ]
} }
} }
else if [message] =~ "cached" and [message] =~ "NXDOMAIN" { else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
mutate { mutate {
add_tag => [ "cached NXDOMAIN" ] add_tag => [ "cached NXDOMAIN" ]
} }
} }
else if [NODATA-IPv4] { else if [NODATA-IPv4] {
mutate { mutate {
add_tag => [ "NODATA" ] add_tag => [ "NODATA" ]
} }
} }
else if [NODATA-IPv6] { else if [NODATA-IPv6] {
mutate { mutate {
add_tag => [ "NODATA" ] add_tag => [ "NODATA" ]
} }
} }
mutate { mutate {
add_field => { add_field => {
"[source_fqdn]" => "%{source_host}" "[source_fqdn]" => "%{source_host}"
...@@ -157,13 +174,14 @@ filter { ...@@ -157,13 +174,14 @@ filter {
dns { dns {
reverse => ["source_fqdn"] reverse => ["source_fqdn"]
action => "replace" action => "replace"
nameserver => ["localhost"] # nameserver => ["localhost"]
hit_cache_size => 4096 hit_cache_size => 4096
hit_cache_ttl => 900 hit_cache_ttl => 900
failed_cache_size => 512 failed_cache_size => 512
failed_cache_ttl => 900 failed_cache_ttl => 900
} }
date { date {
match => [ "date", "MMM d HH:mm:ss","MMM dd HH:mm:ss" ] match => [ "date", "MMM d HH:mm:ss","MMM dd HH:mm:ss" ]
} }
...@@ -171,11 +189,13 @@ filter { ...@@ -171,11 +189,13 @@ filter {
} }
} }
output { output {
if "pihole" in [tags]{ if "pihole" in [tags]{
elasticsearch { elasticsearch {
hosts => ["<ELASTICSEARCHHOST:PORT>"] hosts => [""<ELASTICSEARCHHOST:PORT>""]
manage_template => false # manage_template => false
index => "logstash-syslog-dns-%{+YYYY.MM}" index => "logstash-syslog-dns-%{+YYYY.MM}"
} }
} }
......
0% Loading or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment