Logstash filter to match IP's

Kishore · February 11, 2016, 4:26pm

How to drop the events which are having the source IP with 10...** (starts with 10 series).

I have tried the below code by using regular expression but it is not working, kindly help me to find the correct solution.

filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{WORD:status} %{WORD:auth_method} for %{USER:username} from %{IP:src_ip} port %{POSINT:port} ssh2" }
}
if ([src_ip] == /10.([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3})$/)
{
drop{}
}

}

l1carter · February 11, 2016, 5:25pm

just tested:

/10.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/

on http://www.regexpal.com

should match real IP's that start with 10.x.x.x but not things like 10.355.1.1 which isn't a valid IP.

magnusbaeck · February 14, 2016, 2:42pm

if ([src_ip] == /10.([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3})$/)
{
drop{}
}

As documented, use =~ and not == for regular expression matches. Other comments:

You should anchor your expression to the beginning of the string.
Periods should be escaped.
There's little point in matching the whole IP address. All you need to know is if the string begins with "10.".
For less trivial IP patterns consider using the cidr filter.

Hence, if you want to stick with a simple conditional this is sufficient:

if [src_ip] =~ /^10\./

Kishore · February 16, 2016, 10:46am

Thanks Magnus