Logstash filter if internal networks

VamPikmin · July 9, 2022, 12:27am

This is a continuation of my previous thread which Badger kindly solved.

I have sflow data coming in with the src_ip and dst_ip fields

My internal networks are in this range and I'd like them not to be scanned for geoip:

filter {
      cidr {
        add_tag => [ "Internal1" ]
        address => [ "%{src_ip}", "%{dst_ip}" ]
        network => [ "192.168.0.0/17" ]
      }
    }

filter {
      cidr {
        add_tag => [ "Internal2" ]
        address => [ "%{src_ip}", "%{dst_ip}" ]
        network => [ "192.168.128.0/17" ]
      }
    }

I've tried this and it's not working, it tags external ip addresses as local and doesn't check for geoip

filter{
 if "Internal1" in [tags] or "Internal2" in [tags] {
        mutate {
                add_tag => "Local"}
        }

  else {
  geoip {
     default_database_type => "ASN"
     add_tag => [ "GeoIP-DST" ]
     source => "dst_ip"
     target => "destination"
     }

     geoip {
     default_database_type => "ASN"
     add_tag => [ "GeoIP-SRC"]
     source => "src_ip"
     target => "source"
     }
}
}

Thanks

Badger · July 9, 2022, 1:24am

If either the [src_ip] or [dst_ip] fields match either local network, you do not do the geoip lookup. I would do this

  cidr {
    add_tag => [ "LocalSrc" ]
    address => [ "%{src_ip}" ]
    network => [ "192.168.0.0/17", "192.168.128.0/17" ]
  }
  cidr {
    add_tag => [ "LocalDst" ]
    address => [ "%{dst_ip}" ]
    network => [ "192.168.0.0/17", "192.168.128.0/17" ]
  }
if "LocalDst" not in [tags] {
    geoip {
        default_database_type => "ASN"
        add_tag => [ "GeoIP-DST" ]
        source => "dst_ip"
        target => "destination"
    }
}
if "LocalSrc" not in [tags] {
     geoip {
         default_database_type => "ASN"
         add_tag => [ "GeoIP-SRC"]
         source => "src_ip"
         target => "source"
     }
}

This will create event with tags like

       "tags" => [
    [0] "LocalSrc",
    [1] "GeoIP-DST"
],

      "tags" => [
    [0] "LocalDst",
    [1] "GeoIP-SRC"
],
       "tags" => [
    [0] "GeoIP-DST",
    [1] "GeoIP-SRC"
],

VamPikmin · July 9, 2022, 5:07am

Once again that worked like a charm. Thank you very much

system · August 6, 2022, 5:07am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.