Skip to content

Add custom parser for Pi-hole logs on ARM/Armbian (dnsmasq v6 format) #1597

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
SerKando wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add custom parser for Pi-hole logs on ARM/Armbian (dnsmasq v6 format) #1597

SerKando wants to merge 1 commit into from
+13 −0

Conversation

@SerKando
Copy link

@SerKando SerKando commented Dec 7, 2025
edited
Loading

This parser adds support for Pi-hole v6 log format on ARM/Armbian devices, where dnsmasq writes logs directly into /var/log/pihole/*.log instead of syslog/journalctl.

Currently, CrowdSec Hub has no parser capable of handling Pi-hole v6 logs, so CrowdSec cannot ingest DNS queries, FTL events, or webserver logs on ARM boards.

This parser uses a syslog-style GROK pattern compatible with dnsmasq outputs on Pi-hole v6 and has been tested successfully on Radxa Zero 3 (Armbian) with CrowdSec 1.6.

The objective is to help ARM users integrate Pi-hole into CrowdSec without manually creating custom parsers and to make this parser available via Hub so future installations can auto-install it.

Description

Checklist

  • I have read the contributing guide
  • I have tested my changes locally
  • For new parsers or scenarios, tests have been added
  • I have run the hub linter and no issues were reported (see contributing guide)
  • Automated tests are passing
  • AI was used to generate any/all content of this PR

@SerKando
Add custom parser for Pi-hole logs on ARM/Armbian (dnsmasq v6 format)
1a42f02 
This parser adds support for Pi-hole v6 log format on ARM/Armbian devices, where dnsmasq writes logs directly into /var/log/pihole/*.log instead of syslog/journalctl.

Currently, CrowdSec Hub has no parser capable of handling Pi-hole v6 logs, so CrowdSec cannot ingest DNS queries, FTL events, or webserver logs on ARM boards.

This parser uses a syslog-style GROK pattern compatible with dnsmasq outputs on Pi-hole v6 and has been tested successfully on Radxa Zero 3 (Armbian) with CrowdSec 1.6.

The objective is to help ARM users integrate Pi-hole into CrowdSec without manually creating custom parsers and to make this parser available via Hub so future installations can auto-install it.
@SerKando
Copy link
Author

SerKando commented Dec 7, 2025

Additional information:

I can provide real Pi-hole v6 log samples if needed, and I can also run
any extra tests maintainers request on my ARM board (Radxa Zero 3
running Armbian + Pi-hole v6 + CrowdSec 1.6).

This parser fixes a real issue where CrowdSec cannot process Pi-hole v6
logs on ARM devices because dnsmasq no longer writes to syslog.

The goal is to help other ARM/Pi-hole v6 users avoid manual custom
parsers and allow Hub auto-installation in the future.

Happy to adjust anything if maintainers need changes.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@SerKando