makefu/2configs/logging/filter/dnsmasq.conf


1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19


if ( [program] == "dnsmasq") {
    grok {
        patterns_dir => ["${./patterns}"]
        match => {
          "message" => [
              "^%{logdate:LOGDATE} dnsmasq\[[\d]+\]\: query\[[\w]+\] %{domain:DOMAIN} from %{clientip:CLIENTIP}"
            , "^%{logdate:LOGDATE} dnsmasq\[[\d]+\]\: reply %{domain:DOMAIN} is %{ip:IP}"
            , "^%{logdate:LOGDATE} dnsmasq\[[\d]+\]\: %{blocklist:BLOCKLIST} %{domain:DOMAIN} is %{ip:IP}"
          ]
        }
    }
    date {
      match => [ "LOGDATE", "MMM dd HH:mm:ss", "MMM  d HH:mm:ss", "ISO8601" ]
    }
    geoip {
      source => "IP"
    }
}