One field I add is "rfc1918 = true or false (boolean)"
This is nice for easy sorting of internal private addresses to external addresses.
Another field I like to add is "ipv = 4 or 6" to differentiate between IP version 4 and IP version 6.
The below Logstash filter example assumes your ip addresses are in fields named "src.ip, dst.ip or ip"
filter {
if [dst][ip] {
if [dst][ip] !~ /:/ {
mutate {
add_field => { "[dst][ipv]" => 4 }
}
cidr {
address => [ "%{[dst][ip]}" ]
network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]
add_field => {
"[dst][rfc1918]" => true
}
}
} else {
mutate {
add_field => { "[dst][ipv]" => 6 }
}
}
if ![dst][rfc1918] {
mutate {
add_field => { "[dst][rfc1918]" => false }
}
}
}
if [src][ip] {
if [src][ip] !~ /:/ {
mutate {
add_field => { "[src][ipv]" => 4 }
}
cidr {
address => [ "%{[src][ip]}" ]
network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]
add_field => {
"[src][rfc1918]" => true
}
}
} else {
mutate {
add_field => { "[src][ipv]" => 6 }
}
}
if ![src][rfc1918] {
mutate {
add_field => { "[src][rfc1918]" => false }
}
}
}
if [ip] {
if [ip] !~ /:/ {
mutate {
add_field => { "ipv" => 4 }
}
cidr {
address => [ "%{ip}" ]
network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]
add_field => {
"rfc1918" => true
}
}
} else {
mutate {
add_field => { "ipv" => 6 }
}
}
if ![rfc1918] {
mutate {
add_field => { "[rfc1918]" => false }
}
}
}
}
I high value this post. It's elusive the great from the terrible now and then, however I think you've nailed it! would you brain overhauling your web journal with more data? show my ip
ReplyDelete