How do we match multiple random ips?

Ben · May 28, 2015, 6:10pm

I am trying to match random number of ips in my access logs. Basically, the access logs looks like this

10.xx.xx.xx 107.xx.xxx.xxx 107.xx.xx.xx, 184.xx.xx.xx, 131.xx.xx.xx, 74.xx.xx.xxx, 209.xx.xx.xxx, 10.xx.xx.x, 10.xx.xx.x.x [27/May/2015:23:59:59 -0400]

The number of ips are random - basically sometimes it is 4, sometimes 6, sometimes 8 and sometime 10. And they also do not follow any coherent pattern like starting with certain ips(10.84..) and ending with certain ips (208....).The only pattern I can see is that it does have %{SYSLOG5424SD} after the ips.

What I want to do is to be able to get all these ips as a filter. Is there a way to match all these together ? When i use grok debugger it gives me %{IP} %{IP} %{IP} .... But that doesn't help me as the number of %{IP} could be different for each log lines. I want to create a pattern that says, he match all the ips that you see in this log line and label them as IPs. What is the best way to do this ?

Any pointers would be of great help.
Thanks,
Ben

magnusbaeck · May 28, 2015, 6:33pm

If you're okay with getting all IPs in an array field you can just use grok extract all the IPs to a string and use the mutate filter to split that string.

filter {
  grok {
    match => ["message", "^(?<ip>%{IP}(, %{IP})*) ..."]
  }
  mutate {
    split => ["ip", ", "]
  }
}

It looks like you might always have at least two IPs, each followed by a space, followed by a comma-separated list of IPs. In that you'll have to adjust the filters a bit but it shouldn't be too hard.

Ben · May 28, 2015, 9:22pm

This helps!

Thanks a lot!