Skip to content

dstore-dist-eventforwarder

Configuring dstore-dist-eventforwarder to Send Events to Elasticsearch

The dstore-dist-eventforwarder is used to process the messages related to DNS filtering events, and store them in Elasticsearch suitable for search/retrieval over a REST API provided by the dstore-dist-report-api component. If DNS filtering is not in use in your environment, then dstore-dist-eventforwarder and dstore-dist-report-api are not required to be configured.

dstore-dist-eventforwarder is configured using the configuration file eventforwarder.yml, which by default is located in /etc/pdns-dstore-dist/.

Events must be filtered in dstore-dist before sending to dstore-dist-eventforwarder; this can be achieved in dstore-dist configuration using the filters configuration for a route. The filter should send only response messages and only messages with tags; this ensures that messages which are not associated with a DNS filtering event are not sent to dstore-dist-eventforwarder. An example configuration for dstore-dist is shown below: 

destinations:
  # Arbitrary names that can be referred to in routes
  mydestination:
    addresses:
      - "192.168.1.2:1234"
  routes:
    destinations:
      - mydestination
    filters:
      - has_tags: true
      - is_response: true

Configuring dstore-dist-eventforwarder consists of specifying the Elasticsearch/Opensearch connection details, and specifying how dstore-dist-eventforwarder will parse the tags present in the message to map to categories such as content filtering or malware.

An example dstore-dist-eventforwarder configuration is shown below:

listen_addr: ":8332"

# Define filter types by tags.
filter_tags:
    contentfilter:
      - tagA
      - tagB
    malware: [tagC, tagD]
    blocklist:
      - tagE
    #phishing:
    #botnet:

elasticsearch:
    # Elasticsearch index where messages are sent.
    index: my-forwarder-index
    # Append the date to the index name to ensure a new index gets created each day
    add_date_to_index: true
    # The address of the elasticsearch server.
    addr: http://elasticsearch:9200
    # Auth username.
    user: elastic
    # Auth password.
    password: changeme

If a message is received which does not match any of the tags specified in filter_tags, then the report generated will not be useful, i.e. the dstore-dist-report-api will ignore such reports.

For more information on the configuration of dstore-dist-eventforwarder, see dstore-dist-eventforwarder Configuration.