It looks like network and network_path only accepts a hardcoded value while you can specify fields in address.

I think it would benefit users who want to dynamically maintain them.
Currently, you have to reload the config each time you need to change them and it is an extra cost for those managing the system.

Since the addresses directive currently takes a list of sprintf format strings, it is not possible to use an array-type field on the event.

Add a new, alternate way to register address-containing fields to use as input.

See also: https://discuss.elastic.co/t/how-can-i-pass-a-filebeat-host-ip-array-to-the-logstash-cidr-filter-plugin/171816

Version 3.1.3 fails if a non-existent field is provided in the source array. The plugin should silently skip any nonexistent field specified here so the configuration can provide a list of potential fields and tag accordingly.

At present, a Invalid IP address, skipping {:address=>"%{field_name}" log is created.

There could be a way to configure it like the translate plugin, where you can define a dictionary/dictionary_path and a destination field to assign all the cidrs matched with it's assigned value, defined in the dictionary.

Hi,

I would like to know what is best between CIDR plugin or Logstash regex?

For example :

                        cidr {
                                address => [ "%{[source_ip]}" ]
                                network_path => "local.network"
                                add_tag => [ "_geoiplocal" ]
                        }

or

                        if [source_ip] =~ /^192\.168/ or [source_ip] =~ /^127\./ ... {
                                mutate {
                                        add_tag => [ "_geoiplocal" ]
                                }
                        }

On logstash 6.2.4 we are parsing events with CIDR

        cidr {
          address => [ "%{IPAddress]}" ]
          network_path => "/etc/logstash/dictionaries/CIDR.yaml"
          add_tag => [ "tagging" ]
        }

the dictionary file contains around 4.000 entries and we are parsing around 1.000 events/second. This cause a very high load on logstash. If we are parsing the same events without this command, the load goes from 3000 to 150.
Please note that we have lot of other parsing activities on the same events like different translates where the yaml file contains also around 4.000 events, but this parsing seem's not causing a high load

We can reproduce the performance issue without problems. It would be nice to have a solution for this problem.

As I can see from the docs and the code it isn't possible to put any comments in the network list file. Especially for longer lists this is really a drawback.
Just to be clear. I'm talking about the file, which can be referenced by the network_path property.

From #2 closed due to a long standing CLA signature request not fulfilled.

did some speedups for classification. Mainly use a pre initializied array for ipaddress or networkaddresses if possible. also i could not not get jruby + logstash-devutils to work on my system so i did not execute the tests i added. But it should work since the benchmark provided the expected results for classification.

It would be beneficial to have option to replace_field and replace_tag, because currently it is only possible to add tags or remove field all together, but not replace all contents of certain field or tags.

Potentially it could also be achieved by having order in what commands are processed i.e. remove_field first and add_field second, it seems that currently it's other way around and even if I have this configuration:

filter {
cidr {
remove_field => [ "[fields][env]" ]
add_field => { "[fields][env]" => "env01" }
address => [ "%{[@metadata][ip_address]}" ]
network => [ "10.0.23.0/24"]
}
}

End result will be that fields.env doesn't exist as remove_field seems to be processed last.

Thank you!

The address option isn't mandatory, which doesn't make sense since the filter does nothing without any input addresses. See https://discuss.elastic.co/t/using-cidr-plugin-for-tagging-logs/72878 for an example of a resulting poor user experience.

Hello,

I want to match src_ip to multiple cidr matches. I have subnets collected in 20 files. However,i don't want to call cidr filter 20 times. From the moment a match is found, the following cidr filters don't have to be called anymore. Any idea how to do that ?
Do i need to match on a tag first ? like this:

if $tag="notfound" {
cidr {
network_path = "/a.txt"
add_tag { site = "AAA" }
remove_tag { notfound }
}
if $tag="notfound" {
cidr {
network_path = "/b.txt"
add_tag { site = "BBB" }
remove_tag { notfound }
}
}

I do not consider this patch copyrightable.

commit f15289ad055d9d575653651019253e3097641bd6
Author: Cameron Nemo <[email protected]>
Date:   Thu Jul 30 14:14:51 2020 -0700

    feat: assign network to destination field
    
    It can be desirable to know which specific network was matched,
    so I added an option to set a destination field based on that info.

diff --git a/lib/logstash/filters/cidr.rb b/lib/logstash/filters/cidr.rb
index 3bb19b0..7ee2a63 100644
--- a/lib/logstash/filters/cidr.rb
+++ b/lib/logstash/filters/cidr.rb
@@ -56,6 +56,9 @@ class LogStash::Filters::CIDR < LogStash::Filters::Base
   # pointed by network_path.
   config :separator, :validate => :string, :default => "\n"
 
+  # The destination field where the matching IP network is written.
+  config :destination, :validate => :string
+
   public
   def register
     rw_lock = java.util.concurrent.locks.ReentrantReadWriteLock.new
@@ -169,6 +172,9 @@ class LogStash::Filters::CIDR < LogStash::Filters::Base
     address.product(network).each do |a, n|
       @logger.debug("Checking IP inclusion", :address => a, :network => n)
       if n.include?(a)
+        if @destination
+          event.set(@destination, n.to_s + '/' + n.prefix.to_s)
+        end
         filter_matched(event)
         return
       end
diff --git a/spec/filters/cidr_spec.rb b/spec/filters/cidr_spec.rb
index 04511b8..b4b7835 100644
--- a/spec/filters/cidr_spec.rb
+++ b/spec/filters/cidr_spec.rb
@@ -188,4 +188,24 @@ describe LogStash::Filters::CIDR do
       expect { subject.register }.to raise_error(LogStash::ConfigurationError)
     end
   end
+
+  describe "destination" do
+    let(:config) { Hash.new }
+    config <<-CONFIG
+      filter {
+        cidr {
+          address     => "%{clientip}"
+          network     => ["192.168.1.0/24"]
+          destination => "clientnet"
+        }
+      }
+    CONFIG
+
+    sample("clientip" => "192.168.1.1") do
+      expect(subject.get("clientnet")).to eq("192.168.1.0/24")
+    end
+    sample("clientip" => "192.168.2.1") do
+      expect(subject.get("clientnet").nil?).to eq(true)
+    end
+  end
 end

Hi,
It means a lot of effort for tagging hundreds of network ranges within the cidr filter. It would be great to do that in the the list configured in network_path. Like the translate filter, it would be great to extend the cidr list with additional information, e.g.:

10.10.2.0 /24: network 2. floor
192.168.3.1/23: sales
10.40.23.0/24: guest wifi

... and so far.
So that I have to maintain only the list, if something changed.