Convert mapped IPv6 to IPv4

Elastic Stack Logstash
1

Hi, I have log lines from an IPv4 network.
However, in the log lines some of the IP addresses are mapped toIPv6, i.e. are in IPv6 format.
I wonder if there's a good way for those addresses to be converted to IPv4 format.

Example of IPv4 address mapped in IPv6:

::ffff:a00:6

If you use any online converter, you'll notice that this address translates to the following IPv4 address:

10.0.0.6

I have no issue parsing the addresses since I can use multiple grok filters with %{iPV6:srcIPv6} and %{IPV4:srcIPv4} pattern types.
My ask is around how to convert the IPv6 format into an IPv4 one (same as the tool does).
I've seen in some posts (example 1) where the use of a ruby filter is recommended.
Would appreciate your help.

2

Combining the referenced ruby filter code with Ruby conversion code, I'm trying out the following piece of code in my filter:

if(![srcIPv4] and [srcIPv6]) {	
			mutate { add_field => { "srcIPv4" => ""}}
			ruby {
    			init => 'require "ipaddr"'
  			    code => '
  			        	ipv6 = IPAddr.new(event.get("srcIPv6"))
  				        event.set("srcIPv4",ipv6.native)'
			}
		}

I've used a workaround using [geoip][ip] but I think I'm paying a high computational price for IPv6-to-IPv4 conversion.

The error that I'm getting in logstash's logs, because of this, is:

[2018-12-01T17:34:13,309][ERROR][logstash.filters.ruby    ] Ruby exception occurred: Missing Converter handling for full class name=org.jruby.RubyObjectVar2, simple name=RubyObjectVar2

And a link with the Ruby code working in the tester.

Any help appreciated, thanks!

3

Any thoughts anyone?

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.