One field I add is "rfc1918 = true or false (boolean)"
This is nice for easy sorting of internal private addresses to external addresses.
Another field I like to add is "ipv = 4 or 6" to differentiate between IP version 4 and IP version 6.
The below Logstash filter example assumes your ip addresses are in fields named "src.ip, dst.ip or ip"
filter { if [dst][ip] { if [dst][ip] !~ /:/ { mutate { add_field => { "[dst][ipv]" => 4 } } cidr { address => [ "%{[dst][ip]}" ] network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ] add_field => { "[dst][rfc1918]" => true } } } else { mutate { add_field => { "[dst][ipv]" => 6 } } } if ![dst][rfc1918] { mutate { add_field => { "[dst][rfc1918]" => false } } } } if [src][ip] { if [src][ip] !~ /:/ { mutate { add_field => { "[src][ipv]" => 4 } } cidr { address => [ "%{[src][ip]}" ] network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ] add_field => { "[src][rfc1918]" => true } } } else { mutate { add_field => { "[src][ipv]" => 6 } } } if ![src][rfc1918] { mutate { add_field => { "[src][rfc1918]" => false } } } } if [ip] { if [ip] !~ /:/ { mutate { add_field => { "ipv" => 4 } } cidr { address => [ "%{ip}" ] network => [ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ] add_field => { "rfc1918" => true } } } else { mutate { add_field => { "ipv" => 6 } } } if ![rfc1918] { mutate { add_field => { "[rfc1918]" => false } } } } }
I high value this post. It's elusive the great from the terrible now and then, however I think you've nailed it! would you brain overhauling your web journal with more data? show my ip
ReplyDelete