Hi, I want to match every ip adress that starts with 10.99 in our field "dst_ip".
This is our logstash conf:
filter {
if "syslog" in [tags] and "pre-processed" not in [tags] {
if "test" in [field1] {
mutate {
add_tag => [ "testtag" ]
}
grok {
patterns_dir => ["/etc/logstash/conf.d/patterns"]
break_on_match => false
match => [
"message", "Context: %{USERNAME:context}",
"message", "SrcIP: %{IP:src_ip}",
"message", "IngressZone: %{USERNAME:ingress_zone}",
"message", "EgressZone: %{USERNAME:egress_zone}",
"message", "AccessControlRuleAction: %{WORD:action}",
"message", "DstIP: %{IP:dst_ip}",
"message", "Protocol: %{WORD:protocol}",
"message", "SrcPort: %{NUMBER:src_port}",
"message", "DstPort: %{NUMBER:dst_port}",
"message", "DNSQuery: %{USERNAME:dns_query}",
"message", "URLReputation: %{CISCO_REASON:risk}",
"message", "IngressInterface: %{NOTSPACE:ingress_interface}",
"message", "EgressInterface: %{NOTSPACE:egress_interface}",
"message", "URL: %{URI:URL}",
"message", "AccessControlRuleReason: %{CISCO_REASON:reason}",
"message", "^%{SYSLOG5424PRI}%{CISCOTIMESTAMP} ipfiresight01 SFIMS: \[%{PROG}] %{QS:classification_detailed} \[Impact: %{CISCO_REASON:impact}] From %{QS} at %{HTTPDERROR_DATE} UTC \[Classification: %{CISCO_REASON:classification}] \[Priority: %{NUMBER:priority}] \{%{WORD:protocol}} %{IP:src_ip}:%{NUMBER} \(%{WORD:geotag}\)->%{IP:dst_ip}:%{NUMBER:dst_port} \(%{WORD}%{GREEDYDATA}$"
]
}
geoip {
source => "src_ip"
target => "geoip"
}
if "10.99.*" in [dst_ip] {
mutate {
add_tag => [ "another_tag" ]
}
}
}
}
}
However, when i view documents in kibana that has 10.99.. in [dst_ip] the documents have not gotten the tag "another_tag" which indicates to me that my conditional "if" does not work. Is there a trick to getting wildcard IP matches to work with filters in logstash?