Exclude IPv6 addresses in pipeline rule?

Graylog Central (peer support)
1

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

I recently set up an integration to GreyNoise Community and it is working swimmingly, except I get occasional errors in my Graylog log:

WARN  [GreyNoiseCommunityIpLookupAdapter] '::1' is an IPv6 Address.  'GreyNoise Community IP Lookup' does not support IPv6 Addresses

I would like to filter the IPv6 addresses within the pipeline rule calling the lookup so that they are not sent to GreyNoise.

2. Describe your environment:

  • OS Information: Ubuntu 22.04

  • Package Version: 5.0.3+a82acb2

  • Service logs, configurations, and environment variables:

WARN  [GreyNoiseCommunityIpLookupAdapter] '::1' is an IPv6 Address.  'GreyNoise Community IP Lookup' does not support IPv6 Addresses

3. What steps have you already taken to try and solve the problem?

I added the below to my pipeline rule, but I have a low confidence that I am using the function correctly. Hoping someone can spot an error or make a suggestion on another way to avoid running the rule action on IPv6 addresses.

Here’s the when block:

when
    has_field("SrcIP") && 
    is_ip(to_ip($message.SrcIP)) &&
    !grok_exists("%{IPV6:$message.SrcIP}") &&
    !in_private_net(to_string($message.SrcIP)) &&
    !cidr_match("169.254.0.0/16",to_ip($message.SrcIP)) 
then

The !grok_exists("%{IPV6:$message.SrcIP}") && is intended to stop processing if there is an IPv6 address in the SrcIP field, but it is not working.

4. How can the community help?

Provide advice on getting the pipeline rule to stop processing in the event of an IPv6 address.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

2

Hey @faen

Not quite sure if this will work for ya. Here are couple examples:

rule "proxy  address"
When 
 cidr_match("91.0.0.0/8", to_ip("91.184.102.100")) &&
  ! cidr_match("92.0.0.0/8", to_ip("91.184.102.100"))
then
   set_field("proxy_address", "91.184.102.100");
end

And/Or something like this?

rule "from datacenter subnet"
when
    cidr_match("192.168.1.0/24", to_ip($message.gl2_remote_ip)) OR cidr_match("192.168.2.0/24", to_ip($message.gl2_remote_ip)) 
then
    set_field("new_field",);
end

Or perhap use regex_replace();

Example:

rule "IPv6 "
when
  has_field("message")
then
  let anonym_ip = regex_replace(
    pattern: "([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}|:)",
    value: to_string($message.message),
    replacement: "$1:$2:yyy:yyy:yyy:yyy:yyy::"
  );
  set_field("message", anonym_ip);
end
3

Sorry for the late reply here @gsmith, I’ve had a pretty busy week with other things.

I think your 3rd example might be close to what I am looking for. I might add a rule to make a flag for IPv6 addresses that can be used to exclude those messages from data enrichment that does not support IPv6. I’ll post an update when I have time to get it running.

1 Like
4

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.