From b6ef2469511945ef912c197eca35b0c27ca3519a Mon Sep 17 00:00:00 2001 From: Anton Rubin Date: Fri, 10 Oct 2025 15:41:42 +0100 Subject: [PATCH 1/6] adding example for CIDR block in Data Prepper Signed-off-by: Anton Rubin --- _data-prepper/pipelines/cidrcontains.md | 27 +++++++++++++++++++++++++ 1 file changed, 27 insertions(+) diff --git a/_data-prepper/pipelines/cidrcontains.md b/_data-prepper/pipelines/cidrcontains.md index 1e8b3fa396b..ea19bf58258 100644 --- a/_data-prepper/pipelines/cidrcontains.md +++ b/_data-prepper/pipelines/cidrcontains.md @@ -22,3 +22,30 @@ cidrContains('/client.ip', '192.168.0.0/16', '10.0.0.0/8') {% include copy.html %} This function returns `true` if the IP address matches any of the specified CIDR blocks or `false` if it does not. + +## Example + +The following pipeline drop any documents that are not part of the specified CIDR blocks: + +``` +cidr-allowlist-pipeline: + source: + http: + port: 2021 + path: /events + ssl: true + sslKeyCertChainFile: "certs/dp.crt" + sslKeyFile: "certs/dp.key" + processor: + - drop_events: + # Drop events whose client IP is NOT in specific CIDR allowlist + drop_when: 'not cidrContains(/client/ip, "10.0.0.0/8", "192.168.0.0/16", "fd00::/8")' + sink: + - opensearch: + hosts: ["https://opensearch:9200"] + insecure: true + username: admin + password: "admin_pass" + index_type: custom + index: "logs-%{yyyy.MM.dd}" +``` From eafd7ff1c96331a47fdcffd467d22743144bcaae Mon Sep 17 00:00:00 2001 From: Anton Rubin Date: Fri, 10 Oct 2025 15:43:52 +0100 Subject: [PATCH 2/6] adding example for CIDR block in Data Prepper Signed-off-by: Anton Rubin --- _data-prepper/pipelines/cidrcontains.md | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/_data-prepper/pipelines/cidrcontains.md b/_data-prepper/pipelines/cidrcontains.md index ea19bf58258..a5646f685f8 100644 --- a/_data-prepper/pipelines/cidrcontains.md +++ b/_data-prepper/pipelines/cidrcontains.md @@ -25,9 +25,9 @@ This function returns `true` if the IP address matches any of the specified CIDR ## Example -The following pipeline drop any documents that are not part of the specified CIDR blocks: +The following pipeline drops any documents that are not part of the specified CIDR blocks: -``` +```yaml cidr-allowlist-pipeline: source: http: @@ -49,3 +49,4 @@ cidr-allowlist-pipeline: index_type: custom index: "logs-%{yyyy.MM.dd}" ``` +{% include copy-curl.html %} \ No newline at end of file From fb01c684db87a65082e86fc74dc5630d9becd7e3 Mon Sep 17 00:00:00 2001 From: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> Date: Fri, 10 Oct 2025 12:05:26 -0400 Subject: [PATCH 3/6] Update _data-prepper/pipelines/cidrcontains.md Signed-off-by: kolchfa-aws <105444904+kolchfa-aws@users.noreply.github.com> --- _data-prepper/pipelines/cidrcontains.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/_data-prepper/pipelines/cidrcontains.md b/_data-prepper/pipelines/cidrcontains.md index a5646f685f8..0b5d8d0ce85 100644 --- a/_data-prepper/pipelines/cidrcontains.md +++ b/_data-prepper/pipelines/cidrcontains.md @@ -49,4 +49,4 @@ cidr-allowlist-pipeline: index_type: custom index: "logs-%{yyyy.MM.dd}" ``` -{% include copy-curl.html %} \ No newline at end of file +{% include copy.html %} \ No newline at end of file From d7bf2980b339be7177520d5850d7956a34f896e0 Mon Sep 17 00:00:00 2001 From: AntonEliatra Date: Tue, 14 Oct 2025 11:55:16 +0100 Subject: [PATCH 4/6] Update cidrcontains.md Signed-off-by: AntonEliatra --- _data-prepper/pipelines/cidrcontains.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/_data-prepper/pipelines/cidrcontains.md b/_data-prepper/pipelines/cidrcontains.md index 0b5d8d0ce85..b5fb7aad910 100644 --- a/_data-prepper/pipelines/cidrcontains.md +++ b/_data-prepper/pipelines/cidrcontains.md @@ -31,7 +31,6 @@ The following pipeline drops any documents that are not part of the specified CI cidr-allowlist-pipeline: source: http: - port: 2021 path: /events ssl: true sslKeyCertChainFile: "certs/dp.crt" @@ -49,4 +48,4 @@ cidr-allowlist-pipeline: index_type: custom index: "logs-%{yyyy.MM.dd}" ``` -{% include copy.html %} \ No newline at end of file +{% include copy.html %} From b13158e13cc6980b1d6e6d28ac481492db80b7fa Mon Sep 17 00:00:00 2001 From: Anton Rubin Date: Tue, 14 Oct 2025 12:07:25 +0100 Subject: [PATCH 5/6] adding command to test the pipeline Signed-off-by: Anton Rubin --- _data-prepper/pipelines/cidrcontains.md | 52 +++++++++++++++++++++++++ 1 file changed, 52 insertions(+) diff --git a/_data-prepper/pipelines/cidrcontains.md b/_data-prepper/pipelines/cidrcontains.md index b5fb7aad910..8bd5ddf9a17 100644 --- a/_data-prepper/pipelines/cidrcontains.md +++ b/_data-prepper/pipelines/cidrcontains.md @@ -49,3 +49,55 @@ cidr-allowlist-pipeline: index: "logs-%{yyyy.MM.dd}" ``` {% include copy.html %} + +You can test this pipeline using the following command: + +```bash +curl -ksS -X POST "https://localhost:2021/events" \ + -H "Content-Type: application/json" \ + -d '[ + {"client":{"ip":"10.23.45.6"},"msg":"allowed 10/8"}, + {"client":{"ip":"8.8.8.8"},"msg":"should be dropped"}, + {"client":{"ip":"fd00::1234"},"msg":"allowed ULA IPv6"} + ]' +``` +{% include copy.html %} + +Only two documents are indexed: + +```json +{ + ... + "hits": { + "total": { + "value": 2, + "relation": "eq" + }, + "max_score": 1, + "hits": [ + { + "_index": "logs-2025.10.14", + "_id": "Ng1i4pkBLPEKXekW48BU", + "_score": 1, + "_source": { + "client": { + "ip": "10.23.45.6" + }, + "msg": "allowed 10/8" + } + }, + { + "_index": "logs-2025.10.14", + "_id": "Nw1i4pkBLPEKXekW48BU", + "_score": 1, + "_source": { + "client": { + "ip": "fd00::1234" + }, + "msg": "allowed ULA IPv6" + } + } + ] + } +} +``` \ No newline at end of file From 6b31e892c48fb601ad1eb7388d35dab4a1526231 Mon Sep 17 00:00:00 2001 From: AntonEliatra Date: Wed, 15 Oct 2025 10:45:36 +0100 Subject: [PATCH 6/6] Update cidrcontains.md Signed-off-by: AntonEliatra --- _data-prepper/pipelines/cidrcontains.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/_data-prepper/pipelines/cidrcontains.md b/_data-prepper/pipelines/cidrcontains.md index 8bd5ddf9a17..b2f1064a3e5 100644 --- a/_data-prepper/pipelines/cidrcontains.md +++ b/_data-prepper/pipelines/cidrcontains.md @@ -63,7 +63,7 @@ curl -ksS -X POST "https://localhost:2021/events" \ ``` {% include copy.html %} -Only two documents are indexed: +The documents stored in OpenSearch contain the following information: ```json { @@ -100,4 +100,4 @@ Only two documents are indexed: ] } } -``` \ No newline at end of file +```