As the title suggested, the option to send the logs to a remote syslogserver via port 514 TCP/UDP.
Would a great functionality
To clarify: Live or once a day or something similar?
Hi,
Live would be the best thing to do. Using "logger" to log it into the syslog on the pi would be one approach.
We use dnsmasq in the backend to generate the logs. I t only supports logging to a (local) file or to syslog. No option to send it via IP somewhere.
Sending it to syslog with log-facility=/var/log/syslog?
Oh I see, removing log-facility in 01-pi.hole.conf does send it to syslog, that will solve it!
Okay, I'm still not sure why that would send it to some
but I guess you configured that elsewhere.
Sending it syslog via local0 , and rsyslog takes care of the rest.
I will try write a nice rule that can be placed in /etc/rsyslog.d/ that can be used for sending logs from pihole to a remote syslog server.
Dear wioxjk,
1)
Observation:
Most GNU/Linux distros use the package rsyslogd as the system logging service.
Check for /etc/rsyslog.conf
2)
Observation:
By default, dnsmasq sends its log lines to the system log service,
unless commanded otherwise.
The default dnsmasq configuration has log-facility=DAEMON
(Read the dnsmasq manpages)
The original Pi-hole developer decided to override the default with log-facility=[A-FILE-NAME]
3)
Possible HowTo:
Make /etc/dnsmasq.d/99-pihole-log-facility.conf containing:
log-facility=DAEMON
to over-override Pi-hole's configuration.
No need to tamper with /etc/dnsmasq.d/01-pihole.log
since it does NOT "belong" to you.
Just "comment" the "log-facility=" statement there.
4)
Possible HowTo:
Make /etc/rsyslog.d/11-dnsmasq-pihole-log.conf containing something like the following:
##########################################################################
# #
# This file is : /etc/rsyslog.d/11-dnsmasq-pihole-log.conf #
# #
# Debian based distros : #
# #
# /etc/rsyslog.conf contains : #
# #
# $IncludeConfig /etc/rsyslog.d/*.conf #
# #
# Caution : #
# rsyslog includes all the files, #
# and then evaluates the resulting config #
# #
# Warning : #
# rsyslog inserts the HOSTNAME in the new log line, #
# between the log date and the log programname #
# #
##########################################################################
#
#
##########################################################################
# #
# rsyslogd filter file #
# #
##########################################################################
#
#
#------------------------------------------------------------------------#
# Filter A : Send ALL dnsmasq loglines to a log destination. #
# For remote : adapt and UN-comment the remote destination. #
#------------------------------------------------------------------------#
#
if ( $programname == "dnsmasq" )
then {
/var/log/pihole/dnsmasq.pihole.full.log
# @myremotelogmachinedomainnameORmyremotelogmachineIPaddress (UDP)
# @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
#
#
#
#------------------------------------------------------------------------#
# Filter B : Send ONLY the DNS queries to a log destination: #
# For remote : adapt and UN-comment the remote destination. #
#------------------------------------------------------------------------#
#
if ( $msg contains "query[A" )
then {
/var/log/pihole/dnsmasq.pihole.query.log
# @myremotelogmachinedomainnameORmyremotelogmachineIPaddress (UDP)
# @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
# For the count of the DNS queries = Use :
# wc -l /var/log/pihole/dnsmasq.pihole.query.log
}
#
#
#
#------------------------------------------------------------------------#
# Filter C : Send ONLY the BLOCKED domains to a log destination. #
# Variation (1) : test the presence of "gravity.list". #
# For remote : adapt and UN-comment the remote destination. #
#------------------------------------------------------------------------#
#
if ( $msg contains "/etc/pihole/gravity.list" )
then {
/var/log/pihole/dnsmasq.pihole.blocked.log
# @myremotelogmachinedomainnameORmyremotelogmachineIPaddress (UDP)
# @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
# For the count of the blocked domains = Use :
# wc -l /var/log/pihole/dnsmasq.pihole.blocked.log
}
#
#
#
#------------------------------------------------------------------------#
# Filter D : Send DNS queries and BLOCKED domains to a log destination. #
# Variation (2) : test the pihole IP address. #
# This captures the wildcard domain names also. #
# For remote : adapt and UN-comment the remote destination. #
#------------------------------------------------------------------------#
#
if ( $msg contains "query[A" or $msg contains "is 10.2.1.47" )
then {
/var/log/pihole/pihole.log
# @myremotelogmachinedomainnameORmyremotelogmachineIPaddress (UDP)
# @@myremotelogmachinedomainnameORmyremotelogmachineIPaddress (TCP)
}
#
#------------------------------------------------------------------------#
# End of Filters B C D #
#------------------------------------------------------------------------#
#
#
#
#------------------------------------------------------------------------#
# Since we have the dnsmasq loglines in our our logs now : #
# Do NOT log the dnsmasq loglines in the system log. #
#------------------------------------------------------------------------#
#
stop
}
#
#------------------------------------------------------------------------#
# End of Filter A #
#------------------------------------------------------------------------#
#
#
#
##########################################################################
# #
##########################################################################
Your preferences may vary. 
Note to the pi-hole developers: these filters work faster than faster than light 
Grtz, F.C.
3 Likes
I'm a physicist in real life. I tell you: They cannot!
FTL is (by definition!) the best approach 
1 Like
Rsyslog can read a flat file as well. See
Not as fancy as filters, but we can add a tag I used 'pihole:' as my tag. In the lab I got data to the /var/log/syslog, ( ubuntu os )
JB
I know that this is an old post, but hopefully I can use this instead of opening a new post.
Does the pihole/pihole docker image have the ability to use syslog natively, There are no references to it in the supervisor or in init.d?
Motivation: I want to send my pihole logs to elasticsearch (ELK) and visualize the spread on grafana / kibana.
1 Like
Possible HowTo:
Make /etc/dnsmasq.d/99-pihole-log-facility.conf containing:
log-facility=DAEMON
to over-override Pi-hole’s configuration.
No need to tamper with /etc/dnsmasq.d/01-pihole.log
since it does not “belong” to you.
Just “comment” the “log-facility=” statement there.
1 Like
Thank you for the great work with pi-hole!
I would like to request an enhancement, allowing for DNS call logging to a remote logger, via the gui. The intent would be to have long term (historic) archiving of all DNS calls (with check boxes for the to enable/disable log types). With this feature, it will allow for the query of dns names and/or ip's, for correlation purpose (via my SIEM solution).
In a corporate environment, if there is a defined logging setup option, for compliance/audit purpose, there will potentially be a higher adoption rate from that perspective (auditors want screenshots of where in the gui the logger is setup).
Thank you in advance.
1 Like
When conceptually looking at the application, how much effort would be needed to complete the above?
if all you are looking for is pure logs the file located at /etc/pihole/pihole-FTL.db is likely the data you need
Not necessarily a huge amount of effort, but since only a few people would work on it in their spare time, it would take a while. Also, we are currently busy with v4.1 and v5.0, which do not have plans for this functionality.
Add a syslog forwarder as an option for all request, passed or blocked
I tried several things found on the internet, but nothing worked.
is it possible to help me in this?