Logstash CIDR Filter : create new field with matched network

Elastic Stack Logstash
1

Hello,

I'm currently using the Logstash CIDR filter to tag private and public IP.

Now, I want to use this plugin with a list of all the networks used within my company and add a field or a tag with network information when there is a match.

Example :

logstash-cidr.conf

filter {
      cidr {
          add_tag => [ "%{matched_network}" ]
          address => [ "%{[source][ip]}" ]
          network_path => "/my/network/path/cmdb.csv"
      }
}

cmdb.csv

10.1.1.0/24
10.2.0.0/20

In case 'source.ip': '10.1.1.10', tag is ["10.1.1.0/24"].

Do anyone know how to retrieve the matched network range directly ?

The final goal is to use an Ingest Pipepline to then enrich events with network range information.

Thanks !
Sébastien.

2

You cannot do that. If you look at the code, you will see that if it finds a match all it does it decorate the event (i.e. process the add_tag, remove_tag, add_field, and remove_field options).

There is an open issue requesting this here. That suggests a PR was submitted recently (which is here, but it contains several other changes). There is also this PR that was submitted last year. As you can see it is a minor change. Unfortunately it is just a comment that contains the required code changes, it is not packaged as a PR. If someone repackaged it then it is at least possible that it would get merged.

As far as I know the state of the art in workarounds is to use an external program that maps every range to a list of addresses and range like this:

192.168.3.4,192.168.3.4/31
192.168.3.5,192.168.3.4/31
192.168.3.6,192.168.3.6/30
192.168.3.7,192.168.3.6/30
192.168.3.8,192.168.3.6/30
192.168.3.9,192.168.3.6/30
192.168.3.10,192.168.3.10/31
192.168.3.11,192.168.3.10/31

Then pass that to a translate filter (at which point you do not need a cidr filter).
And yes, I am aware that for a large corporation that file could contain over a million lines. That will not bother a translate filter.

3

Many thanks for the answer !

Nice for the PR, it will be a usefull feature :slight_smile:

But if the translate filter can support a million of lines, it should be totally fine for my use case too :slight_smile:

Sébastien.

4

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.