How to drop mutiple IPs efficiently in using grok filter

Chang-Suk_Kang · June 17, 2019, 3:27pm

I'd like to drop multiple ips in messaging.

I wrote config below. .

Sample : I waana drop message including ip (10.10.10.31 ~ 10.10.10.49)

===========================================================================
if [Src_IP] == "10.10.10.31" or [Src_IP] == "10.10.10.32" or [Src_IP] == "10.10.10.33" or [Src_IP] == "10.10.10.34" or ~~~~ or [Src_IP] == "10.10.10.49" { drop {} }

How do I check this config more efficiently??

Any Ideas?? Plz..

Thanks in advance. ^^;

Badger · June 17, 2019, 4:39pm

Match the IP against a set of CIDR ranges that comprise the complete range you want to drop, then drop if the tag is present. For your example that would be

        address => "%{ip}"
        network => [ "10.10.10.31/32", "10.10.10.47/28", "10.10.10.48/31" ]
        add_tag => [ "matched" ]

Chang-Suk_Kang · June 18, 2019, 1:19am

Thanks, I try to... right now~ ^^;

Chang-Suk_Kang · June 20, 2019, 7:08am

It works Great!! Thanks a lot~ ^^;

Topic		Replies	Views
Help with logstash filter Logstash	5	316	March 6, 2020
Logstash filter to match IP's Logstash	4	7210	July 6, 2017
Logstash match IP range Logstash	2	1035	September 11, 2017
Filter specific IP-Addresses Logstash	2	367	June 18, 2018
Invalid IP network, skipping {:network=>"10.13.7.0/10.13.7.24" Logstash	2	682	January 7, 2020

How to drop mutiple IPs efficiently in using grok filter

Related topics