Hey Badger,
Following your advice, I tried to do it using cidr. I end up combining both approaches.
Here is how the solution looks like now:
filter {
if [winlog][task] == "Logon" {
cidr{
add_tag => [ "src_private"]
address => [ "%{[winlog][event_data][IpAddress]}" ]
network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16", "127.0.0.0/8" ] }
if [winlog][event_data][IpAddress] =~ /^\b(?:\d{1,3}.){3}\d{1,3}\b/ and "src_private" not in [tags] {
if [winlog][event_data][IpAddress] !~ /^(0.0.0.0)/ {
mutate { add_tag => "src_public" }
} }
}
}
However, I am getting lot of " Invalid IP Address, skipping **" logs in logstash log file from cidr. I believe these are those entries which does not have a valid IP e.g. Null IP, ::1 etc.
Is there any way I can get rid of these, as this would fill up my logs files and disk space.