From 3e0803e6038de351aa4a5d27d3dc6dfd4f8c6add Mon Sep 17 00:00:00 2001 From: COOLSTAR Date: Sat, 14 Aug 2021 21:32:45 +0800 Subject: [PATCH 1/3] Update dnsmasq add for dnslog file --- logstash/patterns/dnsmasq | 1 + 1 file changed, 1 insertion(+) diff --git a/logstash/patterns/dnsmasq b/logstash/patterns/dnsmasq index 475f85f..a704cde 100644 --- a/logstash/patterns/dnsmasq +++ b/logstash/patterns/dnsmasq @@ -3,3 +3,4 @@ blocklist [\/\w\.]+ domain [\w\.\-]+ clientip \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} ip \d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3} +IPORCNAME (?:%{IP}|\<%{HOSTNAME}\>) From e4f6221ab20f80c87c1ef9fa4cedc6bf03a9d9e1 Mon Sep 17 00:00:00 2001 From: COOLSTAR Date: Sat, 14 Aug 2021 21:37:10 +0800 Subject: [PATCH 2/3] Update dnsmasq.conf add for dnsmasq log file and split dns action --- logstash/dnsmasq.conf | 67 +++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 67 insertions(+) diff --git a/logstash/dnsmasq.conf b/logstash/dnsmasq.conf index 90c8432..3d64a5d 100644 --- a/logstash/dnsmasq.conf +++ b/logstash/dnsmasq.conf @@ -4,6 +4,11 @@ input { port => 5044 type => "logs" } + file { + path => "/opt/logstash/dnsmasq.log" + type => "dnslogfile" + start_position => "beginning" + } } filter { @@ -22,6 +27,58 @@ filter { geoip { source => "IP" } + + if [type] == "dnslogfile" { + + grok{ + match => { "message" => "%{DATA}\]: %{WORD:dns_action_id}" } + } + + if "_grokparsefailure" in [tags] { drop {} } + + if [dns_action_id] == "query" { + grok{ + match => { "message" => "%{SYSLOGTIMESTAMP:start_time} %{WORD:app_name}\[%{NUMBER}\]: %{WORD:dns_action}\[%{WORD:dns_record}\] %{DATA:domain} %{WORD} %{IP:src_ip}" } + } + } + + if [dns_action_id] == "forward" { + grok{ + match => { "message" => "%{SYSLOGTIMESTAMP:start_time} %{WORD:app_name}\[%{NUMBER}\]: %{WORD:dns_action} %{DATA:domain} %{WORD} %{IP:dns_server}" } + } + } + + if [dns_action_id] == "reply" or [dns_action_id] == "cached"{ + grok{ + patterns_dir => ["/opt/logstash/patterns"] + match => { "message" => "%{SYSLOGTIMESTAMP:start_time} %{WORD:app_name}\[%{NUMBER}\]: %{WORD:dns_action} %{HOSTNAME:domain} %{WORD} %{IPORCNAME:answer}" } + } + } + + if [dns_action_id] == "config" { + grok{ + match => { "message" => "%{SYSLOGTIMESTAMP:start_time} %{WORD:app_name}\[%{NUMBER}\]: %{WORD:dns_action} %{HOSTNAME:domain} %{WORD} %{IPORHOST:answer}" } + } + } + + date { + match => ["stat_time", "yyyy-MM-dd HH:mm:ss"] + timezone => "Asia/Shanghai" + target => "@timestamp" + } + + if [src_ip] !~ "^127\.|^192\.168\.|^172\.1[6-9]\.|^172\.2[0-9]\.|^172\.3[01]\.|^10\." { + + geoip { + source => "src_ip" + target => "geoip" + database => "/opt/GeoLite2-City.mmdb" + } + } + + + + } } output { @@ -34,4 +91,14 @@ output { stdout { codec => rubydebug } + + if [type] == "dnslogfile" { + stdout{codec=>rubydebug} + + elasticsearch { + hosts => ["http://localhost:9200"] + index => "logstash-dns" + } + + } } From 2cffec113a84cd3ed49ee1d81b0b63fdf8ac616d Mon Sep 17 00:00:00 2001 From: COOLSTAR Date: Sat, 14 Aug 2021 21:49:12 +0800 Subject: [PATCH 3/3] Update dnsmasq.conf forwarded --- logstash/dnsmasq.conf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/logstash/dnsmasq.conf b/logstash/dnsmasq.conf index 3d64a5d..1aff870 100644 --- a/logstash/dnsmasq.conf +++ b/logstash/dnsmasq.conf @@ -42,7 +42,7 @@ filter { } } - if [dns_action_id] == "forward" { + if [dns_action_id] == "forwarded" { grok{ match => { "message" => "%{SYSLOGTIMESTAMP:start_time} %{WORD:app_name}\[%{NUMBER}\]: %{WORD:dns_action} %{DATA:domain} %{WORD} %{IP:dns_server}" } }