From c51589adffd0ac50be0ed70fcee8a3358762257f Mon Sep 17 00:00:00 2001
From: "Dustin C. Hatch" <dustin@hatch.name>
Date: Wed, 28 Feb 2024 19:06:23 -0600
Subject: [PATCH] gw1: Scrape BIND DNS server logs

The BIND server on the firewall is configured to write query logs and
RPZ rewrite logs to files under `/var/log/named`.  We can scrape these
logs with Promtail and use the messages for analytics on the DNS-based
firewall, etc.
---
 host_vars/gw1.pyrocufflink.blue/main.yml | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/host_vars/gw1.pyrocufflink.blue/main.yml b/host_vars/gw1.pyrocufflink.blue/main.yml
index 765bc76..c83a2e0 100644
--- a/host_vars/gw1.pyrocufflink.blue/main.yml
+++ b/host_vars/gw1.pyrocufflink.blue/main.yml
@@ -21,3 +21,19 @@ sudo_authorized_ssh_keys: |
 # Default flags include -n, which makes Ansible complain about a "missing
 # become password," even though it would never actually prompt for one.
 ansible_become_flags: -H
+
+promtail_scrape_configs:
+- '{{ promtail_default_scrape.journal }}'
+- job_name: named
+  static_configs:
+  - labels:
+      __path__: /var/log/named/*.log
+      job: named
+  pipeline_stages:
+  - regex:
+      expression: ^(?P<timestamp>\S+?) (?P<message>.*)
+  - timestamp:
+      source: timestamp
+      format: '2006-01-02T15:04:05.000'
+  - output:
+      source: message