Regex express to eliminate private address space from geoip

DWbank · February 3, 2020, 6:57pm

I am trying to eliminate private address spacing going through geoip. I am guessing my regexp is not quite right, seems to still match everything.

################### This checks to see that address is not internal for geoip

if [src_ip] !~ /^127\./ or [src_ip] !~ /^10\./ or [src_ip] !~ /^172\.1[6-9]\./ or [src_ip] !~ /^172\.2[0-9]\./ or [src_ip] !~ /^172\.3[0-1]\./ or [src_ip] !~ /^192\.168\./
{
        geoip {
                source => "src_ip"
                target => "geoip"
                add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
        }

mutate {
        convert => [ "[geoip][coordinates]", "float"]
        }
}

Maybe there is a easier way to write that too.

Badger · February 3, 2020, 7:39pm

Use a cidr filter. This post has an example tagging those networks.

DWbank · February 3, 2020, 8:49pm

@Badger,

That worked Thank you.

system · March 2, 2020, 8:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.