Regex express to eliminate private address space from geoip

DWbank · February 3, 2020, 6:57pm

I am trying to eliminate private address spacing going through geoip. I am guessing my regexp is not quite right, seems to still match everything.

################### This checks to see that address is not internal for geoip

if [src_ip] !~ /^127\./ or [src_ip] !~ /^10\./ or [src_ip] !~ /^172\.1[6-9]\./ or [src_ip] !~ /^172\.2[0-9]\./ or [src_ip] !~ /^172\.3[0-1]\./ or [src_ip] !~ /^192\.168\./
{
        geoip {
                source => "src_ip"
                target => "geoip"
                add_field => [ "[geoip][coordinates]", "%{[geoip][longitude]}" ]
                add_field => [ "[geoip][coordinates]", "%{[geoip][latitude]}" ]
        }

mutate {
        convert => [ "[geoip][coordinates]", "float"]
        }
}

Maybe there is a easier way to write that too.

Badger · February 3, 2020, 7:39pm

Use a cidr filter. This post has an example tagging those networks.

DWbank · February 3, 2020, 8:49pm

@Badger,

That worked Thank you.

system · March 2, 2020, 8:49pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Geoip create everything but the geoip.location Logstash	14	3928	January 2, 2018
Geoip Issues with Logstash? Logstash	7	2156	July 6, 2017
Private IP Address Logstash	2	1104	August 23, 2017
Logstash Setup with GeoIP Logstash	18	2303	October 9, 2019
Geoip filter plugin does not handle spaces in key name Logstash	5	313	June 17, 2018

Regex express to eliminate private address space from geoip

Related topics