Master dashbord
Alternate version of Grafana Unbound dashboard(Postgresql)
Pro:
- Have Ad-hoc filter on Grafana
Con: - Use more CPU/Disk space
Install software
pkg_add logstash elasticsearch grafana
Set up logstash
Config
vi /etc/logstash/conf.d/dns.yml
input {
syslog {
port => "8514"
type => "syslog"
}
}
filter {
date {
match => [ "[@metadata][timestamp]", "MMM dd HH:mm:ss", "MMM d HH:mm:ss", "dd/MMM/yyyy:HH:mm:ss Z" ]
}
grok {
match => {
"message" => [
"\[%{INT:pid}:%{INT:thread}\] info: %{IPORHOST:clientip} %{USERNAME:ns_record_name} %{WORD:ns_record_type} %{WORD:ns_record_class} %{WORD:ns_rcode} %{SECOND:time_to_resolv} %{INT:from_cache} %{INT:bytes}",
# Other messages
"%{GREEDYDATA:drop-document}"
]
}
remove_field => ["message"]
}
if [drop-document] {
drop {}
}
mutate {
convert => [ "pid", "integer" ]
add_field => { "programe" => "unbound" }
add_field => { "hostname" => "%{host}" }
}
dns {
action => "replace"
reverse => [ "hostname" ]
add_tag => [ "dns_lookup" ]
}
}
output {
elasticsearch {
hosts => ["http://localhost:9200"]
index => "logstash-%{+YYYY-MM-dd}"
template => "/etc/logstash/conf.d/templates/ecs-v1/elasticsearch-7x.json"
template_name => "logstash"
template_overwrite => "true"
}
# file {
# path => "/tmp/test"
# }
}
vi /etc/logstash/pipelines.yml
- pipeline.id: dns
path.config: "/etc/logstash/conf.d/dns.yml"
Start service
rcctl enable logstash
rcctl enable elasticsearch
rcctl enable grafana
rcctl start logstash
rcctl start elasticsearch
rcctl start grafana
Set up grafana dashboard
Install plugin
grafana-cli plugins install grafana-piechart-panel
Config datasource
# Elasticsearch
URL: http://localhost:9200
Index name: [logstash-]YYYY-MM-DD
Pattern: Daily
Time field name: @timestamp
Version: 7.0+
Import JSON
Monitor Unbound
Enable log reply and syslog
server:
use-syslog: yes
log-queries: no
log-replies: yes
Config syslog
vi /etc/syslog.conf Add at start of file
!!unbound
*.* @tcp://172.16.215.65:8514
!*