CIDR filter reports IP6 addresses as invalid

daniel.dayley · September 10, 2019, 6:51pm

Hey guys, I'm hoping this is an issue on my end rather than an issue with the CIDR filter, but I'm seeing a lot of logstash errors in my CIDR filter relating to certain IP addresses:

[WARN ][logstash.filters.cidr    ] Invalid IP address, skipping {:address=>"%{src}", :event=>#<LogStash::Event:0x54e98d7f>}

My current code relating to that portion is:

cidr {
           address => [ "%{src}" ]
           network_path => "/etc/tables/networks"
           add_field => { "source.internal" => true }
}
mutate {convert => {"source.internal" => "boolean"}}

All the addresses that are triggering the warning are IP6 addresses such as:

2001:2:0:aab1:d94a:844b:7604:ddde
2620:12b:d000:400::1fc5

I'm showing those IP addresses as valid, is there something I'm missing?
Thanks!

Badger · September 10, 2019, 7:15pm

This works for me.

input { generator { count => 1 lines => [ '' ] } }
filter {
    mutate { add_field => { "src" => "2001:2:0:aab1:d94a:844b:7604:ddde" } }
    cidr { address => "%{src}" add_field => { "source.internal" => true } network => "2001:2:0::/48" }
}
output { stdout { codec => rubydebug { metadata => false } } }

Are you sure that is the value of your [src] field? Leading or trailing blanks would cause that failure.

It would have been nice if the filter logged the address after it has been sprintf'd.

system · October 8, 2019, 7:15pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.