Hi everyone...
I'm integrating this tool in my demo lab with a Cloud Siem (Sentinel) and working in a normalization to this platform, and I want to ingest the PiHole (actually I'm already doing the ingest oh the PiHole data) to make threat analysis in a controlled environment.
My issue is that the /var/log/pihole.log "split" the entries in events when a client query and when the PiHole makes its work (that its Ok, for the tool) but I'd prefer that in the same entry comes the query, the client IP and the answer... exist a way to make this possible?
You can create a custom configuration file for dnsmasq, for example /etc/dnsmasq.d/logging.conf and add log-queries=extra to that file. Then restart Pi-hole with pihole restartdns.
What that will do is add additional information, like query id, IP address if client and I believe the port the client used, to the start of each line in the log. That way you can tie each query to its corresponding answer.
I'm not sure whether I understand your question correctly.
If you are trying to collate log entries by DNS request, try adding log-queries=extra to a custom dnsmasq configuration (e.g. /etc/dnsmasq.d/42-add-query-ids.conf).
Don't forget to restart Pi-hole for those options to take effect:
pihole restartdns
Thanks to both... these was the solution for me...