Logstash CIDR Plugin not working

mrodriguez · October 8, 2021, 4:57pm

Hi, I need to filter events by IP addresses. I would like to use CIDR plugin but it is not working for me.

This is my code:

filter {
	    
if [type] == "mytype" {
 kv{}
	 cidr{
	  address => [ "%{srcip}" ]
	  network => [ "10.1.0.0/16" ]
	  add_tag => [ "mytag" ]
    }
	if "mytag" not in [tags]{
	drop {}
}
}
}
output{
if [type] == "mytype"{
udp {
                host => "1.1.1.1"
                port => 514
		codec => line { format => "%{message}" }
		id => "myid"
        } 
}
}

This is a piece of a log:

eventtime=165646546546 tz=\"+0200\" srcip=10.1.139.27 srcport=10000

Unfortunally It looks like there is not a match in the filter and anything is sent to the output.

Can you help me?

AquaX · October 18, 2021, 2:25pm

I recommend removing all conditional statements

if [type] == "mytype" {

and

if "mytag" not in [tags]{

and send everything to a log file using the stdout{} output filter.
Break it down piece by piece and see where the problems comes up.

system · November 15, 2021, 2:25pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash filter cidr error Logstash	11	3938	March 7, 2017
Help with logstash filter Logstash	5	275	March 6, 2020
CIDR filter detect which ip matched Logstash	2	296	August 28, 2019
CIDR filter reports IP6 addresses as invalid Logstash	2	291	October 8, 2019
Using cidr plugin for tagging logs Logstash	28	7072	February 24, 2017

Logstash CIDR Plugin not working

Related topics