Last active
February 24, 2019 11:00
-
-
Save lucabelluccini/705c9272b5dc19323f32a521fba08c66 to your computer and use it in GitHub Desktop.
Elasticsearch Ingest Pipeline for DNSMasq
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
PUT _ingest/pipeline/dnsmasq | |
{ | |
"description": "DNSMASQ Log Processor", | |
"processors": [ | |
{ | |
"dissect": { | |
"field": "message", | |
"pattern": "%{datetime} dnsmasq[%{?pid}]: %{message_body}" | |
} | |
}, | |
{ | |
"dissect": { | |
"if": """ctx.message_body.startsWith("query")""", | |
"field": "message_body", | |
"pattern": "query[%{query.type}] %{query.what} from %{query.from}" | |
} | |
}, | |
{ | |
"dissect": { | |
"if": """ctx.message_body.startsWith("reply")""", | |
"field": "message_body", | |
"pattern": "reply %{reply.what} is %{reply.is}" | |
} | |
}, | |
{ | |
"dissect": { | |
"if": """ctx.message_body.startsWith("forwarded")""", | |
"field": "message_body", | |
"pattern": "forwarded %{forwarded.what} to %{forwarded.to}" | |
} | |
}, | |
{ | |
"dissect": { | |
"if": """ctx.message_body.startsWith("config")""", | |
"field": "message_body", | |
"pattern": "config %{config.what} is %{config.is}" | |
} | |
}, | |
{ /* Ensures date has no extra chars */ | |
"script": { | |
"source": "ctx.datetime = ctx.datetime.substring(ctx.datetime.length() - 15);" | |
} | |
}, | |
{ | |
"date": { | |
"field": "datetime", | |
"target_field": "@timestamp", | |
"formats": [ | |
"MMM dd HH:mm:ss" | |
], | |
"timezone": "Europe/Rome" | |
} | |
}, | |
/* { | |
"remove": { | |
"if": "ctx.message_body =~ /^(config|forwarded|reply|query)/", | |
"field": [ | |
"message_body" | |
] | |
} | |
}, To be used if regex is enabled*/ | |
{ | |
"remove": { | |
"if": """return (ctx.message_body.startsWith("forwarded") || ctx.message_body.startsWith("query") || ctx.message_body.startsWith("config") || ctx.message_body.startsWith("reply"))""", | |
"field": [ | |
"message_body" | |
] | |
} | |
}, | |
{ | |
"remove": { | |
"field": [ | |
"message", | |
"datetime" | |
] | |
} | |
} | |
] | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment