I have been observing a problem using the cidr filter. Occasionally, we have applications that will connect their own loopback interfaces. These events are logged as originating from ipv4 loopback
127.0.0.1
or IPv6 loopback
::1
::1%0
The cidr filter has no trouble accepting ipv4 loopback addresses, but it will error on IPv6 loopback, claiming an invalid address was provided.
The IPv6 grok filter was used to validate the addresses before sending them to cidr, and there is nothing invalid about the ipv6 address "::1". (The "%[number] suffix also is valid, as it refers to the local interface number, and also should be allowed.)
I am working around the problem by using an "if" statement with a regex check for the ipv6 loopback address before starting my cidr lookups, but this is inefficient and adds a lot of conditional logic to our large collection of cidr lookups.
I was going to just log this as a bug against the cidr filter in github, but I thought I would follow elastic's recommendations in GitHub and check in here first.
-Greg Mackinnon
Yale University