Wildcard matches in logstash filters


#1

Hi, I want to match every ip adress that starts with 10.99 in our field "dst_ip".

This is our logstash conf:

filter {
  if "syslog" in [tags] and "pre-processed" not in [tags] {
    if "test" in [field1] {
        mutate {
            add_tag => [ "testtag" ]
        }
        grok {
        patterns_dir => ["/etc/logstash/conf.d/patterns"]
        break_on_match => false
        match => [
            "message", "Context: %{USERNAME:context}",
            "message", "SrcIP: %{IP:src_ip}",
            "message", "IngressZone: %{USERNAME:ingress_zone}",
            "message", "EgressZone: %{USERNAME:egress_zone}",
            "message", "AccessControlRuleAction: %{WORD:action}",
            "message", "DstIP: %{IP:dst_ip}",
            "message", "Protocol: %{WORD:protocol}",
            "message", "SrcPort: %{NUMBER:src_port}",
            "message", "DstPort: %{NUMBER:dst_port}",
            "message", "DNSQuery: %{USERNAME:dns_query}",
            "message", "URLReputation: %{CISCO_REASON:risk}",
            "message", "IngressInterface: %{NOTSPACE:ingress_interface}",
            "message", "EgressInterface: %{NOTSPACE:egress_interface}",
            "message", "URL: %{URI:URL}",
            "message", "AccessControlRuleReason: %{CISCO_REASON:reason}",
            "message", "^%{SYSLOG5424PRI}%{CISCOTIMESTAMP} ipfiresight01 SFIMS: \[%{PROG}] %{QS:classification_detailed} \[Impact: %{CISCO_REASON:impact}] From %{QS} at %{HTTPDERROR_DATE} UTC \[Classification: %{CISCO_REASON:classification}] \[Priority: %{NUMBER:priority}] \{%{WORD:protocol}} %{IP:src_ip}:%{NUMBER} \(%{WORD:geotag}\)->%{IP:dst_ip}:%{NUMBER:dst_port} \(%{WORD}%{GREEDYDATA}$"
        ]
        }
        geoip {
        source => "src_ip"
        target => "geoip"
       }
       if "10.99.*" in [dst_ip] {
          mutate {
            add_tag => [ "another_tag" ]
        }
      }
    }
  }
}

However, when i view documents in kibana that has 10.99.. in [dst_ip] the documents have not gotten the tag "another_tag" which indicates to me that my conditional "if" does not work. Is there a trick to getting wildcard IP matches to work with filters in logstash?


(Christian Dahlqvist) #2

I think your condition should look something like this:

if [dst_ip] =~ /10\.99\..*/ {
   mutate {
     add_tag => [ "another_tag" ]
   }
 }

(system) #3

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.