Logstash filter to match IP's

Kishore · February 11, 2016, 4:26pm

How to drop the events which are having the source IP with 10...** (starts with 10 series).

I have tried the below code by using regular expression but it is not working, kindly help me to find the correct solution.

filter {
grok {
match => { "message" => "%{SYSLOGTIMESTAMP:syslog_timestamp} %{SYSLOGHOST:syslog_hostname} %{DATA:syslog_program}(?:[%{POSINT:syslog_pid}])?: %{WORD:status} %{WORD:auth_method} for %{USER:username} from %{IP:src_ip} port %{POSINT:port} ssh2" }
}
if ([src_ip] == /10.([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3})$/)
{
drop{}
}

}

l1carter · February 11, 2016, 5:25pm

just tested:

/10.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?).(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)/

on http://www.regexpal.com

should match real IP's that start with 10.x.x.x but not things like 10.355.1.1 which isn't a valid IP.

magnusbaeck · February 14, 2016, 2:42pm

if ([src_ip] == /10.([0-9]{1,3}).([0-9]{1,3}).([0-9]{1,3})$/)
{
drop{}
}

As documented, use =~ and not == for regular expression matches. Other comments:

You should anchor your expression to the beginning of the string.
Periods should be escaped.
There's little point in matching the whole IP address. All you need to know is if the string begins with "10.".
For less trivial IP patterns consider using the cidr filter.

Hence, if you want to stick with a simple conditional this is sufficient:

if [src_ip] =~ /^10\./

Kishore · February 16, 2016, 10:46am

Thanks Magnus

Topic		Replies	Views
Conditional filtering by source with IP addresses Logstash	7	7000	April 11, 2017
Wildcard matches in logstash filters Logstash	2	2368	November 12, 2018
IP match failed Logstash	5	147	October 5, 2023
Logstash filter if conditional fails to match string ended with "\u0000" Logstash	4	1014	March 8, 2022
How do we match multiple random ips? Logstash	3	3921	July 6, 2017

Logstash filter to match IP's

Related topics