Logstash CIDR Plugin not working

mrodriguez · October 8, 2021, 4:57pm

Hi, I need to filter events by IP addresses. I would like to use CIDR plugin but it is not working for me.

This is my code:

filter {
	    
if [type] == "mytype" {
 kv{}
	 cidr{
	  address => [ "%{srcip}" ]
	  network => [ "10.1.0.0/16" ]
	  add_tag => [ "mytag" ]
    }
	if "mytag" not in [tags]{
	drop {}
}
}
}
output{
if [type] == "mytype"{
udp {
                host => "1.1.1.1"
                port => 514
		codec => line { format => "%{message}" }
		id => "myid"
        } 
}
}

This is a piece of a log:

eventtime=165646546546 tz=\"+0200\" srcip=10.1.139.27 srcport=10000

Unfortunally It looks like there is not a match in the filter and anything is sent to the output.

Can you help me?

AquaX · October 18, 2021, 2:25pm

I recommend removing all conditional statements

if [type] == "mytype" {

and

if "mytag" not in [tags]{

and send everything to a log file using the stdout{} output filter.
Break it down piece by piece and see where the problems comes up.

system · November 15, 2021, 2:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Help with logstash filter Logstash	5	275	March 6, 2020
CIDR filter detect which ip matched Logstash	2	296	August 28, 2019
CIDR filter reports IP6 addresses as invalid Logstash	2	290	October 8, 2019
Using cidr plugin for tagging logs Logstash	28	7067	February 24, 2017
Does logstash-filter-cidr support mutiple address match like if condition Logstash	1	348	December 5, 2019

Logstash CIDR Plugin not working

Related Topics