nin9s · nin9s · Nov 16, 2019 · Nov 23, 2019
diff --git a/logstash/conf.d/20-dns-syslog.conf b/logstash/conf.d/20-dns-syslog.conf
@@ -1,3 +1,9 @@
+#################################################################
+# logstash parsing logic and tagging for elk-hole               #
+# created by n9nes                                              #
+# feel free to star the rep - https://github.com/nin9s/elk-hole #
+#################################################################
+
 input {
        beats {
        port => 5141
@@ -7,18 +13,14 @@ input {
 }
 
 filter {
-
-  date {
-      match => [ "date", "MMM  d HH:mm:ss" ]
-  }
 
-  if "pihole" in [tags]{
+  if "pihole" in [tags] {
     grok {
       patterns_dir => ["/etc/logstash/patterns/"]
       match => {
                 "message" => [
-          
-# request - query type
+
+ # request - query type
  "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{FQDN:domain_request} from %{IP:request_from}$",
  # reponse domain to ip
  "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is %{IP:ip_response}$",
@@ -38,6 +40,8 @@ filter {
  "^%{DNSMASQPREFIX} \/etc\/pihole\/local\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
  # blacklist
  "^%{DNSMASQPREFIX} \/etc\/pihole\/black\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
+ # regex
+ "^%{DNSMASQPREFIX} \/etc\/pihole\/regex\.list %{FQDN:blocked_domain} is %{IP:pihole}$",
  # reverse response etc hosts ip to domain
  "^%{DNSMASQPREFIX} \/etc\/hosts %{IP:ip_request} is %{FQDN:domain_response}$",
  # reverse response etc hosts domain to ip
@@ -56,84 +60,125 @@ filter {
  "^%{DNSMASQPREFIX} cached %{FQDN:domain_request} is NODATA-IPv[4,6]$",
  # domain is no-DATA
  "^%{DNSMASQPREFIX} reply %{FQDN:domain_request} is NODATA-IPv[4,6]$",
- # SRV
- "^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
- # SRV forwarded
- "^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" 
+ # PTR
+ #"^%{DNSMASQPREFIX} query\[%{WORD:query_type}\] %{HOSTNAMEPTR:request} from %{IP:request_from}$",
+ # PTR forwarded
+ #"^%{DNSMASQPREFIX} forwarded %{HOSTNAMEPTR:request} to %{IP:dns_forward_to}$" ,
+ # SERVFAIL
+ "^%{DNSMASQPREFIX} reply error is SERVFAIL"
 
                   ]
       }
 }
 
 # to do cached and cached reverse
 
+      if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
+        mutate {
+          add_tag => [ "cached NXDOMAIN" ]
+        }
+      }
 
-      if [request_from] {
+      else if [NODATA-IPv4] {
+        mutate {
+          add_tag => [ "NODATA" ]
+        }
+      }
+
+      else if [NODATA-IPv6] {
+        mutate {
+          add_tag => [ "NODATA" ]
+        }
+      }
+
+      else if [request_from] and [message] =~ "query" {
         mutate {
           add_tag => [ "request and query type" ]
         }
       }
-      else if [ip_response] {
+
+      else if [ip_response] and [message] =~ "reply" {
         geoip {
           source => "ip_response"
         }
         mutate {
           add_tag => [ "response domain to ip" ]
         }
       }
+
       else if [message] =~ "CNAME" and [message] =~ "reply" {
         mutate {
           add_tag => [ "response domain to ip CNAME" ]
         }
       }
+
       else if [domain_response] and [message] =~ "reply" {
         mutate {
           add_tag => [ "response ip to domain" ]
         }
+        geoip {
+          source => "ip_request"
+        }
       }
+
       else if [blocked_domain] {
         mutate {
           add_tag => [ "piholed" ]
         }
       }
+
       else if [message] =~ "\/etc\/hosts" {
         mutate {
           add_tag => [ "reverse hostsfile" ]
         }
       }
+
       else if [dns_forward_to] {
         mutate {
           add_tag => [ "dns forward" ]
         }
       }
+
       else if [ip_request] and [message] =~ "cached" {
         mutate {
           add_tag => [ "cached ip to domain" ]
         }
-      }
-      else if [domain_request] and [message] =~ "cached" {
-        mutate {
-          add_tag => [ "cached domain to ip" ]
+        geoip {
+          source => "ip_request"
         }
       }
-      else if [message] =~ "cached" and [message] =~ "CNAME" {
+
+      else if [domain_request] and [message] =~ "cached" and [message] =~ "CNAME" {
         mutate {
           add_tag => [ "cached domain to ip cname" ]
         }
       }
-      else if [message] =~ "cached" and [message] =~ "NXDOMAIN" {
+
+      else if [domain_request] and [message] =~ "cached" {
         mutate {
-          add_tag => [ "cached NXDOMAIN" ]
+          add_tag => [ "cached domain to ip" ]
+        }
+        geoip {
+          source => "ip_response"
         }
       }
-      else if [NODATA-IPv4] {
+
+      if [domain_request] {
+        geoip {
+#          cache_size => "10000"
+          source => "domain_request"
+        }
+      }
+
+      if [ip_response] {
         mutate {
-          add_tag => [ "NODATA" ]
+          add_field => { "ip_or_domain_response" => "%{domain_request}" }
         }
       }
-      else if [NODATA-IPv6] {
+
+      if [domain_response] {
         mutate {
-          add_tag => [ "NODATA" ]
+          add_field => { "ip_or_domain_response" => "%{ip_request}" }
         }
       }
 
@@ -144,27 +189,31 @@ filter {
     }
 
     dns {
+      nameserver => "localhost"
       reverse => ["source_fqdn"]
       action => "replace"
-      nameserver => ["localhost"]
-      hit_cache_size => 4096
+      hit_cache_size => 10000
       hit_cache_ttl => 900
       failed_cache_size => 512
       failed_cache_ttl => 900
     }
 
 
+  date {
+    match => [ "date", "MMM  d HH:mm:ss","MMM dd HH:mm:ss" ]
+  }
+
   }
 }
 
+
 output {
-  if "pihole" in [tags]{
-      elasticsearch {
-            hosts => ["192.168.254.248:9200"]
-            user => "elastic"
-            password => "Service.1"
-            manage_template => false
-            index => "logstash-syslog-dns-%{+YYYY.MM}"
-  }
- }
+#       stdout { codec => rubydebug }
+        if "pihole" in [tags]{
+                elasticsearch {
+                        hosts => ["monitoring.unimatrix01.local:9200"]
+                        manage_template => false
+                        index => "logstash-syslog-dns-%{+YYYY.MM}"
+                }
+        }
 }