dstore-dist-report-api

Configuring `dstore-dist-report-api` to Retrieve Reports from Elasticsearch¶

The dstore-dist-report-api is used to retrieve information about filtered events from Elastic/Opensearch over a REST API. If DNS filtering is not in use in your environment, then dstore-dist-eventforwarder and dstore-dist-report-api are not required to be configured.

dstore-dist-report-api is configured using the configuration file report-api.yml, which by default is located in /etc/pdns-dstore-dist/.

Events must be present in Elastic/Opensearch before dstore-dist-report-api can retrieve them, thus you should ensure that protobuf query logging is enabled, and that dstore-dist and dstore-dist-eventforwarder are configured appropriately.

An example dstore-dist-report-api configuration is shown below:

listen_addr: "localhost:8080"

# Address for metrics
http:
  address: ":8081"

api_key: "12345"

elasticsearch:
  addr: https://localhost:9200
  index: my-forwarder-index*
  # Auth username.
  user: admin
  # Auth password.
  password: changeme
  tlsconfig:
    insecure_skip_verify: true

If you are having problems with retrieving results, you can enable trace logging; use the log.level configuration key, e.g.:

log:
  level: Trace

For more information on the configuration of dstore-dist-report-api, see dstore-dist-report-api Configuration.

dstore-dist-report-api

Configuring dstore-dist-report-api to Retrieve Reports from Elasticsearch¶

Configuring `dstore-dist-report-api` to Retrieve Reports from Elasticsearch¶