REQUEST: Option to send logs to a remote logserver

As the title suggested, the option to send the logs to a remote syslogserver via port 514 TCP/UDP.

Would a great functionality

To clarify: Live or once a day or something similar?

Hi,

Live would be the best thing to do. Using “logger” to log it into the syslog on the pi would be one approach.

We use dnsmasq in the backend to generate the logs. I t only supports logging to a (local) file or to syslog. No option to send it via IP somewhere.

Sending it to syslog with log-facility=/var/log/syslog?

No, look here: https://en.wikipedia.org/wiki/Syslog#Facility

Oh I see, removing log-facility in 01-pi.hole.conf does send it to syslog, that will solve it!

Okay, I’m still not sure why that would send it to some

but I guess you configured that elsewhere.

Sending it syslog via local0 , and rsyslog takes care of the rest.

I will try write a nice rule that can be placed in /etc/rsyslog.d/ that can be used for sending logs from pihole to a remote syslog server.

Dear wioxjk,
1)
Observation:
Most GNU/Linux distros use the package rsyslogd as the system logging service.
Check for /etc/rsyslog.conf
2)
Observation:
By default, dnsmasq sends its log lines to the system log service,
unless commanded otherwise.
The default dnsmasq configuration has log-facility=DAEMON
(Read the dnsmasq manpages)
The original Pi-hole developer decided to override the default with log-facility=[A-FILE-NAME]
3)
Possible HowTo:
Make /etc/dnsmasq.d/99-pihole-log-facility.conf containing:

log-facility=DAEMON

to over-override Pi-hole’s configuration.
No need to tamper with /etc/dnsmasq.d/01-pihole.log
since it does NOT “belong” to you.
Just “comment” the “log-facility=” statement there.
4)
Possible HowTo:
Make /etc/rsyslog.d/11-dnsmasq-pihole-log.conf containing something like the following:

##########################################################################
#                                                                        #
# This file is : /etc/rsyslog.d/11-dnsmasq-pihole-log.conf               #
#                                                                        #
# Debian based distros :                                                 #
#                                                                        #
#     /etc/rsyslog.conf contains :                                       #
#                                                                        #
#     $IncludeConfig /etc/rsyslog.d/*.conf                               #
#                                                                        #
# Caution :                                                              #
#                   rsyslog includes all the files,                      #
#                           and then evaluates the resulting config      #
#                                                                        #
# Warning :                                                              #
#                   rsyslog inserts the HOSTNAME in the new log line,    #
#                           between the log date and the log programname #
#                                                                        #
##########################################################################
#
#
##########################################################################
#                                                                        #
# rsyslogd filter file                                                   #
#                                                                        #
##########################################################################
#
#
#------------------------------------------------------------------------#
# Filter A : Send ALL dnsmasq loglines to a log destination.             #
#            For remote : adapt and UN-comment the remote destination.   #
#------------------------------------------------------------------------#
#
if ( $programname == "dnsmasq" )
then {
       /var/log/pihole/dnsmasq.pihole.full.log
#      @myremotelogmachinedomainnameORmyremotelogmachineIPaddress  (UDP)
#      @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
#
#
#
#------------------------------------------------------------------------#
# Filter B : Send ONLY the DNS queries to a log destination:             #
#            For remote : adapt and UN-comment the remote destination.   #
#------------------------------------------------------------------------#
#
       if ( $msg contains "query[A" )
       then {
              /var/log/pihole/dnsmasq.pihole.query.log
#             @myremotelogmachinedomainnameORmyremotelogmachineIPaddress  (UDP)
#             @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
#             For the count of the DNS queries = Use :
#             wc -l /var/log/pihole/dnsmasq.pihole.query.log
            }
#
#
#
#------------------------------------------------------------------------#
# Filter C : Send ONLY the BLOCKED domains to a log destination.         #
#            Variation (1) : test the presence of "gravity.list".        #
#            For remote : adapt and UN-comment the remote destination.   #
#------------------------------------------------------------------------#
#
       if ( $msg contains "/etc/pihole/gravity.list" )
       then {
              /var/log/pihole/dnsmasq.pihole.blocked.log
#             @myremotelogmachinedomainnameORmyremotelogmachineIPaddress  (UDP)
#             @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
#             For the count of the blocked domains = Use :
#             wc -l /var/log/pihole/dnsmasq.pihole.blocked.log
            }
#
#
#
#------------------------------------------------------------------------#
# Filter D : Send DNS queries and BLOCKED domains to a log destination.  #
#            Variation (2) : test the pihole IP address.                 #
#            This captures the wildcard domain names also.               #
#            For remote : adapt and UN-comment the remote destination.   #
#------------------------------------------------------------------------#
#
       if ( $msg contains "query[A" or $msg contains "is 10.2.1.47" )
       then {
              /var/log/pihole/pihole.log
#             @myremotelogmachinedomainnameORmyremotelogmachineIPaddress  (UDP)
#             @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
            }
#
#------------------------------------------------------------------------#
# End of Filters B C D                                                   #
#------------------------------------------------------------------------#
#
#
#
#------------------------------------------------------------------------#
# Since we have the dnsmasq loglines in our our logs now :               #
# Do NOT log the dnsmasq loglines in the system log.                     #
#------------------------------------------------------------------------#
#
       stop
     }
#
#------------------------------------------------------------------------#
# End of Filter A                                                        #
#------------------------------------------------------------------------#
#
#
#
##########################################################################
#                                                                        #
##########################################################################

Your preferences may vary. :slight_smile:

Note to the pi-hole developers: these filters work faster than faster than light :wink:

Grtz, F.C.

2 Likes

I’m a physicist in real life. I tell you: They cannot!
FTL is (by definition!) the best approach :wink:

1 Like

Rsyslog can read a flat file as well. See

Not as fancy as filters, but we can add a tag I used ‘pihole:’ as my tag. In the lab I got data to the /var/log/syslog, ( ubuntu os )
JB