Logstash Filter output in different files according to incomming IP address

Hello, I am using the last version of Logstash 8.5.1. And I am trying to output log in files according to the source IP in the logstash input.

I DO know the incomming IPs. I am trying to filter them out in the filter part of the logstash pipeline configuration file.

This is what i've been trying and it always goes to my else condition no matter what I change.

input {
  beats {
    port => 5555
    ssl => true
    ssl_certificate => "/etc/logstash/certs/logstashcert.pem"
    ssl_key => "/etc/logstash/certs/logstashkey.pem"
    ssl_verify_mode => none
  }
}

filter {

  if "192.168.1.155" in [ip] or "192.168.1.170" in [ip] { mutate { add_field => { "logtarget" => "test" } }
  }
  if "192.168.1.160" in [ip] or "192.168.1.175" in [ip] { mutate { add_field => { "logtarget" => "prod" } }
  }
  else {
   mutate { add_field => { "logtarget" => "generic" } }
  }

}

output {

  if "test" in [logtarget] {
   file {
    path => "/opt/logstash/log/windows/test-%{+YYYY-MM-dd}.log"
   }
  }

  if "prod" in [logtarget] {
   file {
    path => "/opt/logstash/log/windows/prod-%{+YYYY-MM-dd}.log"
   }
  }

  else {
   file {
    path => "/opt/logstash/log/windows/else.log"
   }
  }

}

My if statement in filter is clearly not working because very log goes thourgh the else statement and are "tagged" as generic therefore my output conditions fails and always goes in the else statement which is not what I want.

The log I am trying to parse are windows logs and this is the field in the incomming data log :

"ip":["fe80::e50c:bb26:f198:8d6d","192.168.1.155"]

Does anyone has a answer for this ? Or maybe a better solution to this problematic ?

This is the ressouce i've been using so far with no luck:

Please share an example of a document that you have in the /opt/logstash/log/windows/else.log file so people can look at it and try to understand or replicate the issue.

Sure, as you can see the ip field is clearly one of my condition; yet the field logtarget is filled as generic.

tail /opt/logstash/log/windows/else.log :

{"logtarget":"generic","@timestamp":"2022-11-18T14:18:36.512Z","message":"Privilèges spéciaux attribués à la nouvelle ouverture de session.\n\nSujet :\n\tID de sécurité :\t\tS-1-5-18\n\tNom du compte :\t\tSystème\n\tDomaine du compte :\t\tAUTORITE NT\n\tID d’ouverture de session :\t\t0x3E7\n\nPrivilèges :\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege","tags":["beats_input_codec_plain_applied"],"event":{"code":"4672","created":"2022-11-18T14:18:38.359Z","outcome":"success","original":"Privilèges spéciaux attribués à la nouvelle ouverture de session.\n\nSujet :\n\tID de sécurité :\t\tS-1-5-18\n\tNom du compte :\t\tSystème\n\tDomaine du compte :\t\tAUTORITE NT\n\tID d’ouverture de session :\t\t0x3E7\n\nPrivilèges :\t\tSeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege","kind":"event","provider":"Microsoft-Windows-Security-Auditing","action":"Special Logon"},"host":{"name":"DESKTOP-1HJ6FAO","ip":["fe80::e50c:bb26:f198:8d6d","192.168.1.155"],"mac":["00-50-56-BB-85-49"],"id":"f342c121-127b-49b5-a2ae-6d30703a6d71","architecture":"x86_64","os":{"kernel":"10.0.19041.1706 (WinBuild.160101.0800)","platform":"windows","family":"windows","name":"Windows 10 Pro N","type":"windows","build":"19042.1706","version":"10.0"},"hostname":"DESKTOP-1HJ6FAO"},"ecs":{"version":"8.0.0"},"agent":{"version":"8.5.1","ephemeral_id":"4e0d84b9-de47-4213-97ea-83a5910f464d","id":"c7f4678f-8f35-44f8-82c0-340acfac37de","name":"DESKTOP-1HJ6FAO","type":"winlogbeat"},"@version":"1","winlog":{"event_data":{"SubjectDomainName":"AUTORITE NT","SubjectLogonId":"0x3e7","SubjectUserSid":"S-1-5-18","SubjectUserName":"Système","PrivilegeList":"SeAssignPrimaryTokenPrivilege\n\t\t\tSeTcbPrivilege\n\t\t\tSeSecurityPrivilege\n\t\t\tSeTakeOwnershipPrivilege\n\t\t\tSeLoadDriverPrivilege\n\t\t\tSeBackupPrivilege\n\t\t\tSeRestorePrivilege\n\t\t\tSeDebugPrivilege\n\t\t\tSeAuditPrivilege\n\t\t\tSeSystemEnvironmentPrivilege\n\t\t\tSeImpersonatePrivilege\n\t\t\tSeDelegateSessionUserImpersonatePrivilege"},"activity_id":"{2430351b-fb2b-0000-9135-30242bfbd801}","task":"Special Logon","computer_name":"DESKTOP-1HJ6FAO","event_id":"4672","provider_name":"Microsoft-Windows-Security-Auditing","keywords":["Succès de l’audit"],"record_id":11954,"process":{"pid":712,"thread":{"id":2180}},"provider_guid":"{54849625-5478-4994-a5ba-3e3b0328c30d}","opcode":"Informations","api":"wineventlog","channel":"Security"},"log":{"level":"information"}}
{"logtarget":"generic","@timestamp":"2022-11-18T14:18:42.038Z","message":"La migration de bas niveau hors connexion a réussi.","tags":["beats_input_codec_plain_applied"],"event":{"code":"16394","created":"2022-11-18T14:18:42.763Z","original":"La migration de bas niveau hors connexion a réussi.","kind":"event","provider":"Microsoft-Windows-Security-SPP","action":"None"},"ecs":{"version":"8.0.0"},"host":{"name":"DESKTOP-1HJ6FAO","ip":["fe80::e50c:bb26:f198:8d6d","192.168.1.155"],"mac":["00-50-56-BB-85-49"],"id":"f342c121-127b-49b5-a2ae-6d30703a6d71","os":{"kernel":"10.0.19041.1706 (WinBuild.160101.0800)","platform":"windows","family":"windows","name":"Windows 10 Pro N","type":"windows","build":"19042.1706","version":"10.0"},"hostname":"DESKTOP-1HJ6FAO","architecture":"x86_64"},"agent":{"id":"c7f4678f-8f35-44f8-82c0-340acfac37de","name":"DESKTOP-1HJ6FAO","type":"winlogbeat","version":"8.5.1","ephemeral_id":"4e0d84b9-de47-4213-97ea-83a5910f464d"},"@version":"1","winlog":{"keywords":["Classique"],"record_id":2096,"opcode":"Info","provider_guid":"{E23B33B0-C8C9-472C-A5F9-F2BDFEA0F156}","api":"wineventlog","channel":"Application","task":"None","computer_name":"DESKTOP-1HJ6FAO","event_id":"16394","provider_name":"Microsoft-Windows-Security-SPP"},"log":{"level":"information"}}

Did I do something wrong ?
Thanks

If [ip] is "192.168.1.155" then the first if will evaluate to true and [logtarget] will get set to "test". The second if will evaluate to false and [logtarget] will get overwritten with "generic". Change the second if to elsif.

Hello,
Yes it was it.
Thanks a lot !