diff --git a/logstash/dnsmasq.conf b/logstash/dnsmasq.conf
index 90c8432..1aff870 100644
--- a/logstash/dnsmasq.conf
+++ b/logstash/dnsmasq.conf
@@ -4,6 +4,11 @@ input {
         port => 5044
     type => "logs"
     }
+     file {
+                 path => "/opt/logstash/dnsmasq.log"
+                 type => "dnslogfile"
+                 start_position => "beginning"
+        }
 }
 
 filter {
@@ -22,6 +27,58 @@ filter {
     geoip {
         source => "IP"
     }
+    
+     if [type] == "dnslogfile" {
+		
+			grok{
+				match => { "message" => "%{DATA}\]: %{WORD:dns_action_id}" }
+			}
+			
+			if "_grokparsefailure" in [tags] { drop {} }
+			
+			if [dns_action_id] == "query" {
+				grok{
+						match => { "message" => "%{SYSLOGTIMESTAMP:start_time} %{WORD:app_name}\[%{NUMBER}\]: %{WORD:dns_action}\[%{WORD:dns_record}\] %{DATA:domain} %{WORD} %{IP:src_ip}" }
+				}
+			}
+			
+			if [dns_action_id] == "forwarded" {
+				grok{
+						match => { "message" => "%{SYSLOGTIMESTAMP:start_time} %{WORD:app_name}\[%{NUMBER}\]: %{WORD:dns_action} %{DATA:domain} %{WORD} %{IP:dns_server}" }
+				}
+			}
+			
+			if [dns_action_id] == "reply" or  [dns_action_id] == "cached"{ 
+				grok{
+						patterns_dir => ["/opt/logstash/patterns"]
+						match => { "message" => "%{SYSLOGTIMESTAMP:start_time} %{WORD:app_name}\[%{NUMBER}\]: %{WORD:dns_action} %{HOSTNAME:domain} %{WORD} %{IPORCNAME:answer}" }
+				}
+			}
+			
+			if [dns_action_id] == "config" {
+				grok{
+						match => { "message" => "%{SYSLOGTIMESTAMP:start_time} %{WORD:app_name}\[%{NUMBER}\]: %{WORD:dns_action} %{HOSTNAME:domain} %{WORD} %{IPORHOST:answer}" }
+				}
+			}
+
+			date {
+					match => ["stat_time", "yyyy-MM-dd HH:mm:ss"]
+					timezone => "Asia/Shanghai"
+					target => "@timestamp"
+			}
+
+            if [src_ip] !~ "^127\.|^192\.168\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.|^10\." { 
+
+		        geoip {
+			         source => "src_ip"
+			         target => "geoip"
+			         database => "/opt/GeoLite2-City.mmdb"
+		         }
+	         }
+        
+	
+
+	}
 }
 
 output {
@@ -34,4 +91,14 @@ output {
     stdout {
         codec => rubydebug
     }
+    
+      if [type] == "dnslogfile" {
+                stdout{codec=>rubydebug}
+
+                elasticsearch {
+                        hosts => ["http://localhost:9200"]
+                        index => "logstash-dns"
+                }
+
+        }
 }
diff --git a/logstash/patterns/dnsmasq b/logstash/patterns/dnsmasq
index 475f85f..a704cde 100644
--- a/logstash/patterns/dnsmasq
+++ b/logstash/patterns/dnsmasq
@@ -3,3 +3,4 @@ blocklist [\/\w\.]+
 domain [\w\.\-]+
 clientip \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
 ip \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}
+IPORCNAME (?:%{IP}|\<%{HOSTNAME}\>)