NOTE - this was specifically built for a docker instance, with the Filebeat docker module collecting the logs.
Last active
April 21, 2020 20:50
-
-
Save markwalkom/7f1f20d6da7a7eb5e84843f757e2e258 to your computer and use it in GitHub Desktop.
PiHole + Elasticsearch Ingest processing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #-------------------------- Elasticsearch output ------------------------------ | |
| output.elasticsearch: | |
| # we need to do two when.contains here | |
| hosts: ["192.168.1.199:9206"] | |
| index: "filebeat-%{[beat.version]}-%{+yyyy.MM}" | |
| indices: | |
| - index: "filebeat-%{[beat.version]}-pihole-%{+yyyy.MM}" | |
| when.contains: | |
| message: "dnsmasq" | |
| pipelines: | |
| - pipeline: "pihole-logging" | |
| when.contains: | |
| message: "dnsmasq" |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| PUT _ingest/pipeline/pihole-logging | |
| { | |
| "description" : "Pi-Hole Logging", | |
| "processors": [ | |
| { | |
| "grok": { | |
| "field": "message", | |
| "patterns": ["%{WORD:program_name}: %{POSINT:query_id} %{NOTSPACE:query_source} query%{NOTSPACE:query_record} %{NOTSPACE:query_target} from %{NOTSPACE:query_source}","%{WORD:program_name}: %{POSINT:query_id} %{NOTSPACE:query_source} %{NOTSPACE:query_action} %{NOTSPACE:query_target} is %{NOTSPACE:query_answer}"] | |
| } | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment