Log filter to see only denied requests at "Tail pihole.log"

Hi!!

I would like to have a filter inside the log to see only blocked requests, something like that:


Tools - Pihole.log

Output the last lines of the pihole.log file (live)

Apr 28 08:10:10 dnsmasq[5121]: /etc/pihole/gravity.list app-measurement.com is 0.0.0.0
Apr 28 08:25:18 dnsmasq[5121]: /etc/pihole/gravity.list www.googleadservices.com is 0.0.0.0
Apr 28 08:26:35 dnsmasq[5121]: /etc/pihole/gravity.list self.events.data.microsoft.com is 0.0.0.0
Apr 28 08:26:37 dnsmasq[5121]: /etc/pihole/gravity.list device-metrics-us.amazon.com is 0.0.0.0

x Automatic scrolling on update
x Show only blocked requests


I think that is very easy to put a checkbox to activate / deactivate it... only with a litlle development, and very usefull to find problems with some applications filtered.

And also like an extra feauter is to show also the origin IP addres or name that did make the request, somethink like that:

Apr 28 08:10:10 dnsmasq[5121]: /etc/pihole/gravity.list app-measurement.com is 0.0.0.0 requested from 192.168.1.2
Apr 28 08:25:18 dnsmasq[5121]: /etc/pihole/gravity.list www.googleadservices.com is 0.0.0.0 requested from 192.168.1.6
Apr 28 08:26:35 dnsmasq[5121]: /etc/pihole/gravity.list self.events.data.microsoft.com is 0.0.0.0 requested from 192.168.1.6
Apr 28 08:26:37 dnsmasq[5121]: /etc/pihole/gravity.list device-metrics-us.amazon.com is 0.0.0.0 requested from 192.168.1.2

Or:

Apr 28 08:10:10 dnsmasq[5121]: /etc/pihole/gravity.list app-measurement.com is 0.0.0.0 requested from iphone-x.domain.local
Apr 28 08:25:18 dnsmasq[5121]: /etc/pihole/gravity.list www.googleadservices.com is 0.0.0.0 requested from iphone-x.domain.local
Apr 28 08:26:35 dnsmasq[5121]: /etc/pihole/gravity.list self.events.data.microsoft.com is 0.0.0.0 requested from amazon-echo.domain.local
Apr 28 08:26:37 dnsmasq[5121]: /etc/pihole/gravity.list device-metrics-us.amazon.com is 0.0.0.0 requested from amazon-echo.domain.local

If you look at the current output of /var/log/pihole.log

Apr 28 11:36:01 dnsmasq[7998]: query[A] logger.foxitcloud.com from 10.0.10.136
Apr 28 11:36:01 dnsmasq[7998]: gravity blocked logger.foxitcloud.com is 0.0.0.0
Apr 28 11:36:13 dnsmasq[7998]: query[A] logger.foxitcloud.com from 10.0.10.136
Apr 28 11:36:13 dnsmasq[7998]: gravity blocked logger.foxitcloud.com is 0.0.0.0
Apr 28 11:36:28 dnsmasq[7998]: query[A] www.google.com from 10.0.99.192
Apr 28 11:36:28 dnsmasq[7998]: forwarded www.google.com to 127.0.0.1
Apr 28 11:36:28 dnsmasq[7998]: reply www.google.com is 172.217.23.132
Apr 28 11:36:28 dnsmasq[7998]: query[AAAA] www.google.com from 10.0.99.192
Apr 28 11:36:28 dnsmasq[7998]: forwarded www.google.com to 127.0.0.1
Apr 28 11:36:28 dnsmasq[7998]: reply www.google.com is 2a00:1450:4001:81e::2004
Apr 28 11:36:31 dnsmasq[7998]: query[A] logger.foxitcloud.com from 10.0.10.136
Apr 28 11:36:31 dnsmasq[7998]: gravity blocked logger.foxitcloud.com is 0.0.0.0
Apr 28 11:36:53 dnsmasq[7998]: query[A] ping.ubnt.com from 10.0.1.1
Apr 28 11:36:53 dnsmasq[7998]: forwarded ping.ubnt.com to 127.0.0.1
Apr 28 11:36:53 dnsmasq[7998]: reply ping.ubnt.com is <CNAME>
Apr 28 11:36:53 dnsmasq[7998]: reply dl.ubnt.com is <CNAME>
Apr 28 11:36:53 dnsmasq[7998]: reply d2cnv2pop2xy4v.cloudfront.net is 99.84.152.160

you can already see where the request originated from (query[A] logger.foxitcloud.com from 10.0.10.136) and that it was later blocked (gravity blocked logger.foxitcloud.com is 0.0.0.0). As this logging is at least two step process (what is the query and where is it from; what should happen with the query and what was the answer) makes it impossible the filter it "live" because at the moment the query is seen pihole doesn't know if it will be blocked.

But you already got a nice tool to analyze exactly what you want: the query log. All recent queries are displayed even with their origin and reply status. It is not live but if you refresh you get the latest queries. (Even in my home network with few active devices the live view is way to fast to really analyse it visually as long scrolling is activated - with scrolling disabled I see no benefit to the query log.)

At the moment you can't filter for status - but this is already in development.

1 Like

If you tail the Pi-hole log directly from the command line (with the command pihole -t), the output is color coded and blocked queries are shown in red for easy visibility. Typically the request appears on the line directly above the red line.

image

You can also live tail the pihole log and filter as you desire, using a command similar to these examples; the output will be limited to the search term.

tail -f /var/log/pihole.log | grep 0.0.0.0

Apr 30 12:52:51 dnsmasq[3709]: gravity blocked telemetry.dropbox.com is 0.0.0.0
Apr 30 12:52:55 dnsmasq[3709]: gravity blocked api.mixpanel.com is 0.0.0.0
Apr 30 12:53:55 dnsmasq[3709]: gravity blocked api.mixpanel.com is 0.0.0.0
tail -f /var/log/pihole.log | grep 192.168.0.135

Apr 30 12:52:55 dnsmasq[3709]: query[A] api.mixpanel.com from 192.168.0.135
Apr 30 12:53:55 dnsmasq[3709]: query[A] api.mixpanel.com from 192.168.0.135
Apr 30 12:54:18 dnsmasq[3709]: query[A] www.appleiphonecell.com from 192.168.0.135
Apr 30 12:54:55 dnsmasq[3709]: query[A] api.mixpanel.com from 192.168.0.135

Hi all not sure if this is super hard as I'm not a coder, but was thinking it would be nice to add a checkbox to the log tail screen so that when you're trying to find out why a site isn't working that you could watch only for the gravity blocks.

I got my pi-holes setup yesterday and while watching TV we decided to switch from Hulu to Netflix and Netflix didn't work. Well I wanted to troubleshoot it and my girlfriend got bored and pulled out her laptop and her cell phone and started going crazy on the DNS queries so it was hard for me to nail down the specifics of what was causing the netflix problem vs what was ads being blocked to her devices. She was a little perturbed that I had to ask her to take her hands off her devices and she be bored for a solid couple minutes while I fixed the netflix. ROFLMAO!

If you can implement this in a future update thanks!! :smile: