Exclude by IP?

jasonyohon's Avatar

jasonyohon

15 May, 2015 01:33 AM

I use Qualys security scanning and their scanner fills up my logs. Can you exclude entries by IP address? IPs 64.39.96.0/20

  1. Support Staff 1 Posted by potsky on 18 May, 2015 06:36 AM

    potsky's Avatar

    Hello,

    yes of course, you can exclude a line of log according to any field.

    Take a look at the point 3.2.4 in the documentation

  2. 2 Posted by jasonyohon on 01 Sep, 2015 06:14 PM

    jasonyohon's Avatar

    I've tried this a lot of different ways and I cannot get it to work.

    Adding "IP" : ["64\.39\.105\.204"], to the exclude section of a file crashes the entire pml system:
    "File ID x does not exist, please review your configuration file and stop playing!" But for every file ID, not just the one I add the exclude IP to.

    Below is an example of what I tried. I have tried every combo of brackets, commas, etc.

    If I remove the IP line it works fine again. I must be missing something.

     
    "exclude": {
    "IP" : ["64\.39\.105\.204"],
    "Log": ["\/PHP Stack trace:\/", "\/PHP *[0-9]*\\. \/"]
    }

  3. Support Staff 3 Posted by potsky on 01 Sep, 2015 06:20 PM

    potsky's Avatar

    Backslashes are reserved in JSON. So you need to escape them.

    This should work :

    "exclude": { 
    "IP" : ["64\\.39\\.105\\.204"], 
    "Log": ["\/PHP Stack trace:\/", "\/PHP *[0-9]*\\. \/"] 
    }
    
  4. Support Staff 4 Posted by potsky on 01 Sep, 2015 06:21 PM

    potsky's Avatar

    And this should be better :

    "exclude": { 
    "IP" : ["\/^64\\.39\\.105\\.204$\/"], 
    "Log": ["\/PHP Stack trace:\/", "\/PHP *[0-9]*\\. \/"] 
    }
    

    So you are sure to not remove 164.39.105.204 or 264.39.105.204 :-)

  5. 5 Posted by jasonyohon on 05 Sep, 2015 03:40 PM

    jasonyohon's Avatar

    How about a CIDR Range like 64.39.96.0/20 ?

    Like this?
    "IP" : ["\/^64\\.39\\.96\\.\\/20"],

    How would you exclude every IP except 64.39.96.0/20

    would that be "IP" : ["\/!64\\.39\\.96\\.\\/20"],

  6. Support Staff 6 Posted by potsky on 05 Sep, 2015 06:56 PM

    potsky's Avatar

    I would not use a double negative assertion. Instead of exclude everything except A, I would only match A, it is easier.

    So forget the exclude part and just update the global regex to only match your network.
    The first IP is 64.39.96.1 and the last is 64.39.111.254 so you can inject this regex in the match token instead of (.*) :

    (64\\.39\\.(96\\.([1-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5]))|((9[7-9]|1(0[0-9]|10))\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-5])))|111\\.([0-9]|[1-9][0-9]|1([0-9][0-9])|2([0-4][0-9]|5[0-4]))))
    

    I have used this site to generate the regex according to your network : http://www.analyticsmarket.com/freetools/ipregex

    If you don't understand what I mean by the match token or the global regex, send me your whole configuration file and I will show you where to replace the (.*) part.

Reply to this discussion

Internal reply

Formatting help / Preview (switch to plain text) No formatting (switch to Markdown)

Attaching KB article:

»

Attached Files

You can attach files up to 10MB

If you don't have an account yet, we need to confirm you're human and not a machine trying to post spam.

Keyboard shortcuts

Generic

? Show this help
ESC Blurs the current field

Comment Form

r Focus the comment reply box
^ + ↩ Submit the comment

You can use Command ⌘ instead of Control ^ on Mac