Exclude IPv6 addresses in pipeline rule?

Before you post: Your responses to these questions will help the community help you. Please complete this template if you’re asking a support question.
Don’t forget to select tags to help index your topic!

1. Describe your incident:

I recently set up an integration to GreyNoise Community and it is working swimmingly, except I get occasional errors in my Graylog log:

WARN  [GreyNoiseCommunityIpLookupAdapter] '::1' is an IPv6 Address.  'GreyNoise Community IP Lookup' does not support IPv6 Addresses

I would like to filter the IPv6 addresses within the pipeline rule calling the lookup so that they are not sent to GreyNoise.

2. Describe your environment:

  • OS Information: Ubuntu 22.04

  • Package Version: 5.0.3+a82acb2

  • Service logs, configurations, and environment variables:

WARN  [GreyNoiseCommunityIpLookupAdapter] '::1' is an IPv6 Address.  'GreyNoise Community IP Lookup' does not support IPv6 Addresses

3. What steps have you already taken to try and solve the problem?

I added the below to my pipeline rule, but I have a low confidence that I am using the function correctly. Hoping someone can spot an error or make a suggestion on another way to avoid running the rule action on IPv6 addresses.

Here’s the when block:

    has_field("SrcIP") && 
    is_ip(to_ip($message.SrcIP)) &&
    !grok_exists("%{IPV6:$message.SrcIP}") &&
    !in_private_net(to_string($message.SrcIP)) &&

The !grok_exists("%{IPV6:$message.SrcIP}") && is intended to stop processing if there is an IPv6 address in the SrcIP field, but it is not working.

4. How can the community help?

Provide advice on getting the pipeline rule to stop processing in the event of an IPv6 address.

Helpful Posting Tips: Tips for Posting Questions that Get Answers [Hold down CTRL and link on link to open tips documents in a separate tab]

Hey @faen

Not quite sure if this will work for ya. Here are couple examples:

rule "proxy  address"
 cidr_match("", to_ip("")) &&
  ! cidr_match("", to_ip(""))
   set_field("proxy_address", "");

And/Or something like this?

rule "from datacenter subnet"
    cidr_match("", to_ip($message.gl2_remote_ip)) OR cidr_match("", to_ip($message.gl2_remote_ip)) 

Or perhap use regex_replace();


rule "IPv6 "
  let anonym_ip = regex_replace(
    pattern: "([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}):([0-9A-Fa-f]{1,4}|:)",
    value: to_string($message.message),
    replacement: "$1:$2:yyy:yyy:yyy:yyy:yyy::"
  set_field("message", anonym_ip);

Sorry for the late reply here @gsmith, I’ve had a pretty busy week with other things.

I think your 3rd example might be close to what I am looking for. I might add a rule to make a flag for IPv6 addresses that can be used to exclude those messages from data enrichment that does not support IPv6. I’ll post an update when I have time to get it running.

1 Like

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.