Logstash cidr Filter Plugin

The Logstash cidr filter plugin is used to check IP addresses against a list of network blocks. It's particularly useful for classifying IP addresses into predefined categories or for filtering events based on whether an IP address falls within specific network ranges.

Syntax

cidr {
  add_field => ...
  address => ...
  network => ...
  tag_on_failure => ...
}

For detailed configuration options, refer to the official Logstash cidr filter plugin documentation.

Example Use Case

Suppose you want to categorize incoming traffic based on whether the source IP is internal or external to your network. You could use the cidr filter like this:

filter {
  cidr {
    address => [ "%{src_ip}" ]
    network => [ "192.168.0.0/16", "10.0.0.0/8", "172.16.0.0/12" ]
    add_field => { "network_location" => "internal" }
  }
}

In this example, if the src_ip field matches any of the specified network ranges (common private IP ranges), a new field network_location is added with the value "internal". IPs not matching these ranges would be considered external.

Common Issues and Best Practices

  1. Ensure that the field containing the IP address is properly parsed before applying the cidr filter.
  2. Be mindful of performance when using large network lists. Consider using a separate database or caching mechanism for very large sets of network ranges.
  3. Remember that IPv6 addresses are supported, but make sure your network ranges are correctly formatted for IPv6 if you're dealing with such addresses.

Frequently Asked Questions

Q: Can the cidr filter handle both IPv4 and IPv6 addresses?
A: Yes, the cidr filter can handle both IPv4 and IPv6 addresses. Just ensure that your network ranges are correctly formatted for the type of IP addresses you're working with.

Q: What happens if an IP doesn't match any of the specified networks?
A: If an IP doesn't match any network, no action is taken by default. You can use the tag_on_failure option to add a tag to events where the IP doesn't match any network.

Q: Can I use the cidr filter to exclude certain IP ranges?
A: While the cidr filter doesn't directly support exclusion, you can achieve this by tagging matches and then using a conditional statement to exclude events with that tag.

Q: Is it possible to use variables or external files for network ranges?
A: Yes, you can use Logstash's variable substitution to reference external configuration, or you can use the file input plugin to read network ranges from a file.

Q: How does the cidr filter perform with a large number of network ranges?
A: Performance can degrade with a very large number of network ranges. For extremely large sets, consider using a database lookup or other optimized solution instead.

Pulse - Elasticsearch Operations Done Right

Pulse can solve your Elasticsearch issues

Subscribe to the Pulse Newsletter

Get early access to new Pulse features, insightful blogs & exclusive events , webinars, and workshops.

We use cookies to provide an optimized user experience and understand our traffic. To learn more, read our use of cookies; otherwise, please choose 'Accept Cookies' to continue using our website.