Does not extract Pi-hole server host name when using a Splunk recommended syslog collector
Closed this issue · 2 comments
Splunk best practice involves setting up a separate machine that runs a syslog service to handle syslog tasks.https://docs.splunk.com/Documentation/Splunk/8.0.4/Data/HowSplunkEnterprisehandlessyslogdata
When Pi-hole logs are forwarded, via syslog, to a syslog collector (that has Splunk UF installed), the host field is populated with the syslog collector name and not the Pi-hole server name. As a comparison, when Bind logs are also forwarded to a syslog collector (that has UF installed), the host field is correctly populated with the Bind server name.
In both cases, the host field is first field in the logs after the date and time.
Example Pi-hole log and extracted fields:
Jun 16 10:01:34 ph2 dnsmasq[3565]: 23354 192.168.10.220/52674 forwarded vcsa.vmware.com to 192.168.12.9
date_hour = 10, date_mday = 16, date_minute = 1, date_month = june, date_second = 34, date_wday = tuesday, date_year = 2020, date_zone = local, dest = 192.168.12.9, eventtype = nix-all-logs, eventtype = pihole_dns, dns network resolution, host = syslog-ng1, index = dns, linecount = 1, name = forwarded, pid = 3565, query = vcsa.vmware.com, source = /var/log/pihole.log, sourcetype = pihole, splunk_server = splunk, src = 192.168.10.220, src_ip = 192.168.10.220, src_port = 52674, tag = dns, tag = network, tag = resolution, timeendpos = 16, timestartpos = 0, transaction_id = 23354
Example Bind log and extracted fields:
Jun 16 10:01:08 ns1 named[13149]: 16-Jun-2020 10:01:08.421 queries: info: client @0x7f05e4558c90 192.168.12.8#1721 (vcsa.vmware.com): query: vcsa.vmware.com IN A + (192.168.12.9)
date_hour = 10, date_mday = 16, date_minute = 1, date_month = june, date_second = 8, date_wday = tuesday, date_year = 2020, date_zone = local, dest = ns1, eventtype = nix-all-logs, host = ns1, index = dns, linecount = 1, pid = 13149, source = /var/log/intdns.log, sourcetype = syslog, splunk_server = splunk, src = ns1, timeendpos = 15, timestartpos = 0
Just to clarify, in the above example the hostname of the Pi-hole server is 'ph2' and the hostname of the bind server is 'ns1'.
Apologies for taking so long to respond, I didn't have my notifications properly setup.
This is not necessarily an app issue. Due to the customizable nature of syslog, it is difficult to capture in regex every use case. When you use the syslog sourcetype in your above bind example, Splunk automatically transforms the correct hostname using a default props & transforms config that covers most default syslog configurations. You can see this in ../etc/system/default/props.conf in the syslog stanza. There is a transforms setting pointing to syslog-host which can be found in ../etc/system/default/transforms.conf. This same configuration can be used by navigating to the ../local directory of the TA-pihole_dns app and adding the following to props.conf:
[pihole]
TRANSFORMS = syslog-host
A better method is to add the hostname to the path where you are writing the file to (i.e. /var/log/remote/pihole/$HOST/pihole.log. Once that is completed, the inputs.conf file can be updated to include the host_segment setting. For the previous example it would be host_segment = 5.
An example to do this for syslog-ng can be found at: https://www.splunk.com/en_us/blog/tips-and-tricks/using-syslog-ng-with-splunk.html