Logstash - IP range to CIDR

HaranKumar · April 7, 2019, 8:32am

Hello Logstash Community,

I have parsed a set of IOC which is continuously pulled from TCP port. I have a field called @indicator which has IP values in range format (though it is a single IP value).
for example my field is available as 96.70.80.177-96.70.80.177
is there a way to convert this range type into individual CIDR format using from logstash filters ? or how to edit a original parsed field into different format as we want ?

kindly help me with troubleshooting this.

input {
 tcp {
  port => 5514
  }
}
filter {
  # Tag minemeld events
  if "@origin" in [message] {
    mutate {
      add_tag => "minemeld"
    }
    json {
      source => "message"
    }
  }
}
output {
  elasticsearch {
    hosts => "http://192.168.56.10:9200"
    index => "threat-intel-%{+YYYY.MM.dd}"
    cacert => "/etc/nginx/minemeld.cer"
  }
}

Badger · April 7, 2019, 2:56pm

Exactly what do you want the final event to look like?

HaranKumar · April 7, 2019, 3:53pm

Thanks Badger for looking into it.

Indicator field is in range form currently as in my screenshot image above.

I want to have it as single IP only. Not as range format.

Regards,

Haran

Badger · April 7, 2019, 4:03pm

dissect { mapping => { "@indicator" => "%{ip}-%{}" } }

HaranKumar · April 8, 2019, 11:42am

Thank you so much for the help @Badger . Unfortunately dissect is not trimming the IP in @indicator field.

Below is my new conf file. kindly let me know if I am missing something. I used "IPV4" value which is parsing in a field called type as a if condition for dissect.

input {
 tcp {
  port => 5514
  }
}
filter {
  # Tag minemeld events
  if "@origin" in [message] {
    mutate {
      add_tag => "minemeld"
    }
    json {
      source => "message"
    }
 }
  #dissecting IPV4 into CIDR format
  if "IPv4" in [type] {
    dissect {
      mapping => { "@indicator" => "%{ip}-%{}" }
    }
  }
}
output {
  elasticsearch {
    hosts => "http://192.168.56.10:9200"
    index => "logstash-threatintel-%{+YYYY.MM.dd}"
 }
}

Screenshot of new log after new conf file.

Badger · April 8, 2019, 12:07pm

OK, so it parsed the ip address into the field ip. That's what you wanted, right?

HaranKumar · April 8, 2019, 1:17pm

No No. Sorry if my explanation/requirement was not clear.

I have two fields parsing by default.
field:value
type:IPV4
@indicator:196.52.43.112-196.52.43.255

my requirement is @indicator field should have only 192.52.43.112

so i used dissect mapping as you suggested with if "IPV4" in [type] as if condition

if "IPv4" in [type] {
    dissect {
      mapping => { "@indicator" => "%{ip}-%{}" }
  }
}

Badger · April 8, 2019, 1:31pm

If you want to overwrite the field then you can do that

dissect { mapping => { "@indicator" => "%{@indicator}-%{}" } }

HaranKumar · April 8, 2019, 2:19pm

Awesom. Thanks @Badger . It did the magic. I was able to trim the @indicator field from range to single CIDR format.

system · May 6, 2019, 2:19pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Logstash ElasticSearch Filter doesn't work with dissect fields or IP ranges Logstash	0	92	June 26, 2024
Jdbc logstash module pulling IP in decimal format Logstash	5	298	June 22, 2021
Help with logstash filter Logstash	5	275	March 6, 2020
Logstash CIDR Filter : create new field with matched network Logstash	3	862	April 2, 2021
Logstash CIDR Plugin not working Logstash	2	257	November 15, 2021

Logstash - IP range to CIDR

Related topics