I have the following configuration (partial output)
# Check if SourceIP address is IPv4 or IPv6. In case SourceIP is IPv6 change its value
#if [SourceIP] =~ ":" { mutate { rename => { "SourceIP" => "SourceIPv6" } } }
#if [SourceIP] =~ ":" { mutate { update => { "SourceIP" => "10.21.88.146" } } }
if [SourceIP] =~ ":" { mutate { gsub => ["SourceIP", "[\d:\w]", "10.21.88.146"] } }
#if ":" in [SourceIP] { mutate { gsub => [ "SourceIP", "[\d:\w]+", "10.21.88.146" ] } }
#if ":" in [SourceIP] { mutate { update => { "SourceIP" => "10.21.88.146" } } }
#if [SourceIP] =~ ":" { mutate { replace => { "SourceIP" => "10.21.88.146" } } }
# cidr check. If the traffic is not coming from TAG-NAME then it's dropped.
# Idea here is to drop all Edge FWs traffic.
cidr {
add_tag => [ "TAG-NAME" ]
address => [ "%{SourceIP}" ]
network => [ "10.0.0.0/8" ]
}
if "TAG-NAME" not in [tags] { drop { } }
Basically for IPv4 addresses I've got a CIDR filter and if the IPv4 does not belong to 10.0.0.0/8 the traffic gets dropped. However, I do have log entries with IPv6 addresses so using mutate and replace/gsub/update i tried to change the field value of these to be equal to a dummy ip address that'd be in the 10.0.0.0/8 range so that it could pass the CIDR check and be also forwarded to its final destination.
However, Logstash throws an error saying the following. Notice that the SourceIP field is changed but the value is assigned multiple times.
if I change my regex in gsub to be equal to [\d:\w]+
instead [\d:\w]
that won't work and the traffic gets dropped, same with all the other commented attempts above.
Invalid IP address, skipping {:address=>"%{SourceIP}", :event=>{"SourcePort"=>"62229", "message"=>"+10:00 Info sydcuda01 Remove: type=LOUT|proto=UDP|srcIF=port1.181|srcIP=2402:7800:200b::706e|srcPort=62229|srcMAC=00:00:00:00:00:00|dstIP=2a01:111:4000::4|dstPort=53|dstService=v6_any|dstIF=|rule=v6_local_out|info=Normal Operation|srcNAT=2402:7800:200b::706e|dstNAT=2a01:111:4000::4|duration=2|count=1|receivedBytes=182|sentBytes=108|receivedPackets=1|sentPackets=1|user=|protocol=|application=|target=|content=|urlcat=", "Count"=>"1", "SrcInterface"=>"port1.181", "Duration"=>"2", "DstService"=>"v6_any", "DestinationIP"=>"2a01:111:4000::4", "SourceIP"=>"10.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.14610.21.88.146",
It'd be much appreciated if somebody can point me in the right direction.
Thank you in advacne.