Mask the IP address using custom grok pattern


I am new to Logstash and grok and want to mask/ change first octets of ip addresses in my logs for security purpose. but unable to create a grok pattern which will work for the situation. I am getting IP from logs message but i am not able to think forward.

After you've parsed the message with grok, use the Mutate gsub filter to replace the first octet.


I tried the same it works for one ip but when i want the same for whole message which contains 2, 3 ips i am unable to generate a regex which will help.

right now i have generated below mentioned regex for gsub which is working fine for one ip.
gsub => ["client_ip", "(.\d+){1}$", ".XXX"]

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.