Hello. I've got a trouble with cidr plugin. Im trying to use it this way:
if ([maliciousIP] == 'false' and [target_host]=~ /^([0-9]{1,3}.){3}([0-9]{1,3})/)
{
cidr
{
address => ["%{target_host}"]
network_path => '/etc/logstash/conf.d/ipblacklists/subnets.yaml'
add_field => { "DangerousSubnet" => "true" }
}
}
but i only got
[WARN ][logstash.filters.cidr ] Invalid IP address, skipping {:address=>"%{target_host}"
in my logs and field DangerousSubnet not added.
Whats wrong?
the question is still relevant
this question is not an Elasticsearch question, so I moved it over to the Logstash forum. Hopefully you will get an answer there.
Have you verified the field content of that address? What is it?
The field was not added because the filter did not successfuly complete. Decoration only happens when a filter succeeds.
The message you are getting suggests the field does not exist, so the field substitution does not occur. How that condition could test true if the field does not exist is beyond me.
Content is ip addresses from dns logs. Like '23.100.122.175' etc.
Field added in config before
Oh. Sorry, im blind. I incorrectly used the dns plugin, and therefore I do not have an address in this field.
This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.
© 2020. All Rights Reserved - Elasticsearch
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant logo are trademarks of the Apache Software Foundation in the United States and/or other countries.