Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
graylog content pack to use with dnsmasq / pi hole pipeline rules (https://gist.github.com/jalogisch/922b7a3438c5c6f5b9d02557d33ab2eb)
{
"name": "PiHOLE",
"description": "Creates Information Dashboard from pihole with enriched data ( https://gist.github.com/jalogisch/922b7a3438c5c6f5b9d02557d33ab2eb )",
"category": "DNS Intel",
"inputs": [],
"streams": [],
"outputs": [],
"dashboards": [
{
"title": "DNS Intel",
"description": "Client and DNS Lookup Information",
"dashboard_widgets": [
{
"description": "Threat Indicated (24h)",
"type": "SEARCH_RESULT_COUNT",
"cache_time": 1000,
"configuration": {
"timerange": {
"type": "relative",
"range": 86400
},
"lower_is_better": true,
"trend": true,
"query": "application_name:pihole AND threat_indicated:true"
},
"col": 2,
"row": 1,
"height": 1,
"width": 1
},
{
"description": "DNS Location Requested IP (from answers)",
"type": "org.graylog.plugins.map.widget.strategy.MapWidgetStrategy",
"cache_time": 1000,
"configuration": {
"timerange": {
"type": "relative",
"range": 86400
},
"field": "query_answer_geolocation",
"query": ""
},
"col": 1,
"row": 2,
"height": 2,
"width": 2
},
{
"description": "DNS Querys (24h)",
"type": "SEARCH_RESULT_COUNT",
"cache_time": 1000,
"configuration": {
"timerange": {
"type": "relative",
"range": 86400
},
"lower_is_better": false,
"trend": true,
"query": "query_action:query"
},
"col": 1,
"row": 1,
"height": 1,
"width": 1
},
{
"description": "Owning Companies (24h)",
"type": "QUICKVALUES",
"cache_time": 1000,
"configuration": {
"timerange": {
"type": "relative",
"range": 86400
},
"field": "query_answer_whois_organization",
"show_pie_chart": false,
"query": "_exists_:query_answer_whois_organization",
"show_data_table": true
},
"col": 4,
"row": 3,
"height": 3,
"width": 1
},
{
"description": "DNS Clients (24h)",
"type": "QUICKVALUES",
"cache_time": 1000,
"configuration": {
"timerange": {
"type": "relative",
"range": 86400
},
"field": "query_source",
"show_pie_chart": false,
"query": "_exists_:query_source",
"show_data_table": true
},
"col": 1,
"row": 4,
"height": 2,
"width": 1
},
{
"description": "DNS Activities (24h)",
"type": "QUICKVALUES",
"cache_time": 1000,
"configuration": {
"timerange": {
"type": "relative",
"range": 86400
},
"field": "query_action",
"show_pie_chart": false,
"query": "programname:dnsmasq",
"show_data_table": true
},
"col": 4,
"row": 1,
"height": 2,
"width": 1
},
{
"description": "Thread Names (24h)",
"type": "QUICKVALUES",
"cache_time": 1000,
"configuration": {
"timerange": {
"type": "relative",
"range": 86400
},
"field": "threat_names",
"show_pie_chart": false,
"query": "application_name:pihole AND threat_indicated:true AND _exists_:threat_names",
"show_data_table": true
},
"col": 2,
"row": 4,
"height": 2,
"width": 1
},
{
"description": "Blackholed request (24h)",
"type": "SEARCH_RESULT_COUNT",
"cache_time": 1000,
"configuration": {
"timerange": {
"type": "relative",
"range": 86400
},
"lower_is_better": false,
"trend": true,
"query": "query_list:\"/etc/pihole/gravity.list\""
},
"col": 3,
"row": 1,
"height": 1,
"width": 1
},
{
"description": "Blocked Domains (24h)",
"type": "QUICKVALUES",
"cache_time": 1000,
"configuration": {
"timerange": {
"type": "relative",
"range": 86400
},
"field": "query_domain",
"show_pie_chart": false,
"query": "query_list:\"/etc/pihole/gravity.list\"",
"show_data_table": true
},
"col": 3,
"row": 2,
"height": 4,
"width": 1
}
]
}
],
"grok_patterns": [
{
"name": "PIHOLE",
"pattern": "%{SYSLOGTIMESTAMP:query_timestamp} %{WORD: programname}\\[%{POSINT:procid}\\]: %{NOTSPACE:query_list} %{NOTSPACE:query_domain} is %{NOTSPACE:query_answer}"
},
{
"name": "DNSMASQ",
"pattern": "%{SYSLOGTIMESTAMP:query_timestamp} %{WORD: programname}\\[%{POSINT:procid}\\]: %{WORD:query_action}(?:\\[%{WORD:query_type}\\]|%{SPACE}) %{NOTSPACE:query_domain} (?:from %{NOTSPACE:query_source}|is %{NOTSPACE:query_answer}|to %{NOTSPACE:query_target})"
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.