Logstash-CIDR Plugin

How can we pass multiple IP's and Location names in Logstash config file with CIDR plugin for Source and Destination

The documentation shows examples of passing multiple entries for both the network and address options.

[quote="gadapa, post:4, topic:301990, full:true"]
cidr {
address => [ "%{[source][ip]}", "%{[destination][ip]}" ]
network => ["172.24.51.0/24"]
add_field => { "src_location" => "Port-Gentil" }
add_field => { "des_location" => "Port-Gentil" }
}
cidr {
address => [ "%{[source][ip]}", "%{[destination][ip]}" ]
network => ["172.24.54.0/24"]
add_field => { "src_location" => "Luanda-LUA" }
add_field => { "des_location" => "Luanda-LUA" }
}
i am adding like this for separate source and destination ..but i there are multiple ips and location names. so how can i pass this all in cidr to get exact match for ip and location.. can you please help me on this
I need same location mapping for source ip nd des ip but am unable to fetch it

To do this using add_field you would actually need even more filters. One for source and one for destination, otherwise an event that had a source in one network and a destination in another would get one of them set incorrectly. For example, if the source were Port-Gentil and the destination were Luanda-LUA then the second filter would overwrite src_location with Luanda-LUA.

There are a couple of github issues that relate to this.

This issue has code that would add the network that matched into the event. However, since the filter can do multiple lookups it will, I think, overwrite that field for the second lookup.

This issue (and the unmerged/closed PRs it links to) discusses ways to implement this. Sadly, I do not think any of them actually work when the filter does multiple lookups.

If you are OK with just looking up one IP address at a time then you could rebuild the filter from source patched with one of those PRs.

address => [ "%{[source][ip]}" ]
network => ["10.176.0.0/16"]
add_field => { "source_location" => "Korea-HHI-Shipyard" }
}
cidr {
address => [ "%{[source][ip]}" ]
network => ["10.177.0.0/16"]
add_field => { "source_location" => "Cairo" }
}
cidr {
address => [ "%{[source][ip]}" ]
network => ["10.192.0.0/16"]
add_field => { "source_location" => "Seven-Antares" }
}

cidr {
address => [ "%{[destination][ip]}" ]
network => ["10.1.0.0/16"]
add_field => { "destination_location" => "Aberdeen-Greenwell" }
}
cidr {
address => [ "%{[destination][ip]}" ]
network => ["10.2.0.0/16"]
add_field => { "destination_location" => "Glasgow" }
}
cidr {
address => [ "%{[destination][ip]}" ]
network => ["10.4.0.0/16"]
add_field => { "destination_location" => "Leith" }
}
is this will work for cidr for sourec and des as a separate?
pls help me on this

Yes, if you use a separate filter for each network/location then that will work.

Hi,
if i use separate cidr for both src and des for same ip address and location as mentoned above format. still am getting an error of invalid skipping address. am unable to fetch the des location in dashboard.is there any method to add both ..kindly help me on this

Invalid IP address, skipping {:address=>"{%[destination][ip]}", :event=>{"event"=>{"created"=>"2022-04-12T18:17:12.002Z", "kind"=>"event", "module"=>"netflow", "dataset"=>"netflow.log",

If Elasticsearch is logging that then I think it is telling you that the [destination][ip] field did not exist on the original event. You could use a prune filter to remove any fields where sprintf substitution did not occur.

can u give me syntax how to add

The default value for the blacklist_names option is ["%{[^}]+}"], so you can just use

prune {}

As I said, "If Elasticsearch is logging that". But it is not, it is being logged by the cidr filter.

You could check that the address is valid before calling the filter

if [source][ip] =~ /(?<![0-9])(?:(?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5])[.](?:[0-1]?[0-9]{1,2}|2[0-4][0-9]|25[0-5]))(?![0-9])/ {
    cidr {
        address => [ "%{[source][ip]}" ]
        ....

Is the ruby code will work for adding both src and des at a time in cidr?.Is address field cannot handle array input as stated in doc?

It is not ruby code, it is a logstash conditional (which uses the regexp for IPV4 from grok). You could use

if [source][ip] =~ /(?<![0-9]).../ and [destination][ip] =~ /(?<![0-9]).../ {
    cidr {
        address => [ "%{[source][ip]}", "%{[destination][ip]}" ]
        ....

but if either is invalid then the filter is not called and neither will get mapped.