How to drop mutiple IPs efficiently in using grok filter

Chang-Suk_Kang · June 17, 2019, 3:27pm

I'd like to drop multiple ips in messaging.

I wrote config below. .

Sample : I waana drop message including ip (10.10.10.31 ~ 10.10.10.49)

===========================================================================
if [Src_IP] == "10.10.10.31" or [Src_IP] == "10.10.10.32" or [Src_IP] == "10.10.10.33" or [Src_IP] == "10.10.10.34" or ~~~~ or [Src_IP] == "10.10.10.49" { drop {} }

How do I check this config more efficiently??

Any Ideas?? Plz..

Thanks in advance. ^^;

Badger · June 17, 2019, 4:39pm

Match the IP against a set of CIDR ranges that comprise the complete range you want to drop, then drop if the tag is present. For your example that would be

        address => "%{ip}"
        network => [ "10.10.10.31/32", "10.10.10.47/28", "10.10.10.48/31" ]
        add_tag => [ "matched" ]

Chang-Suk_Kang · June 18, 2019, 1:19am

Thanks, I try to... right now~ ^^;

Chang-Suk_Kang · June 20, 2019, 7:08am

It works Great!! Thanks a lot~ ^^;

system · July 18, 2019, 7:08am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.