IP Address and Dictionary | New Field as String

Elastic Stack Logstash
1

Hi Friends,

I'm using logstash as syslog server to my firewall traffic. I have two IP fields: ip_dst and ip_src.
I need to translate them to HOSTNAMES or some ALIAS against a dictionary, so need create 2 new fields and get these IP data to string data. (Not convert, because I want to keep original).

Since the translate works only with string values, I tried to create 2 new fields and copy source IP values as string, but i'm getting crash on logstash.

if "_grokparsefailure" not in [tags] and [type] == "firewall-traffic" {
       mutate {
               add_field                       =>      { "ip_dst_str" => "%{ip_dst}" }
               convert                         =>      { "ip_dst_str" => "string" }
               add_field                       =>      { "ip_src_str" => "%{ip_src}" }
               convert                         =>  	{ "ip_src_str" => "string" }
       }
       translate {
               field                           =>      "ip_dst_str"
               destination                     =>      "ip_dst_str"
               override                        =>      "true"
               dictionary_path         	=>      "/etc/logstash/dictionary/BRANCH-SRV.yaml"
       }
       translate {
               field                           =>      "ip_src_str"
               destination                     =>      "ip_src_str"
               override                        =>      "true"
               dictionary_path    		=>      "/etc/logstash/dictionary/BRANCH-SRV.yaml"
       }
}

My Dictionary example:
"10.0.0.1":SOMEHOSTNAME

What is the best manner to use dictionary against IP address?

2

There's no IP address type inside Logstash. IP addresses are stored as strings so there's no need to convert anything.

Your unspecified problem is most likely caused by your incorrect assumption that the mutate options apply in the order they're listed. See https://github.com/logstash-plugins/logstash-filter-mutate/issues/27.