cipher

Milestone: 1

This is a community-contributed plugin! It does not ship with logstash by default, but it is easy to install! To use this, you must have installed the contrib plugins package.

This filter parses a source and apply a cipher or decipher before storing it in the target.

Synopsis

This is what it might look like in your config file:
filter {
  cipher {
    add_field => ... # hash (optional), default: {}
    add_tag => ... # array (optional), default: []
    algorithm => ... # string (required)
    base64 => ... # boolean (optional), default: true
    cipher_padding => ... # string (optional)
    iv => ... # string (optional)
    key => ... # string (optional)
    key_pad => ... #  (optional), default: "\u0000"
    key_size => ... # number (optional), default: 32
    mode => ... # string (required)
    remove_field => ... # array (optional), default: []
    remove_tag => ... # array (optional), default: []
    source => ... # string (optional), default: "message"
    target => ... # string (optional), default: "message"
  }
}

Details

add_field

  • Value type is hash
  • Default value is {}

If this filter is successful, add any arbitrary fields to this event. Field names can be dynamic and include parts of the event using the %{field} Example:

filter {
  cipher {
    add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
  }
}

# You can also add multiple fields at once:

filter {
  cipher {
    add_field => { 
      "foo_%{somefield}" => "Hello world, from %{host}"
      "new_field" => "new_static_value"
    }
  }
}

If the event has field “somefield” == “hello” this filter, on success, would add field “foo_hello” if it is present, with the value above and the %{host} piece replaced with that value from the event. The second example would also add a hardcoded field.

add_tag

  • Value type is array
  • Default value is []

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax. Example:

filter {
  cipher {
    add_tag => [ "foo_%{somefield}" ]
  }
}

# You can also add multiple tags at once:
filter {
  cipher {
    add_tag => [ "foo_%{somefield}", "taggedy_tag"]
  }
}

If the event has field “somefield” == “hello” this filter, on success, would add a tag “foo_hello” (and the second example would of course add a “taggedy_tag” tag).

algorithm (required setting)

  • Value type is string
  • There is no default value for this setting.

The cipher algorythm

A list of supported algorithms can be obtained by

puts OpenSSL::Cipher.ciphers

base64

  • Value type is boolean
  • Default value is true

Do we have to perform a base64 decode or encode?

If we are decrypting, base64 decode will be done before. If we are encrypting, base64 will be done after.

cipher_padding

  • Value type is string
  • There is no default value for this setting.

Cypher padding to use. Enables or disables padding.

By default encryption operations are padded using standard block padding and the padding is checked and removed when decrypting. If the pad parameter is zero then no padding is performed, the total amount of data encrypted or decrypted must then be a multiple of the block size or an error will occur.

See EVP_CIPHER_CTX_set_padding for further information.

We are using Openssl jRuby which uses default padding to PKCS5Padding If you want to change it, set this parameter. If you want to disable it, Set this parameter to 0 filter { cipher { padding => 0 }}

exclude_tags DEPRECATED

  • DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
  • Value type is array
  • Default value is []

Only handle events without all/any (controlled by exclude_any config option) of these tags. Optional.

iv

  • Value type is string
  • There is no default value for this setting.

The initialization vector to use

The cipher modes CBC, CFB, OFB and CTR all need an “initialization vector”, or short, IV. ECB mode is the only mode that does not require an IV, but there is almost no legitimate use case for this mode because of the fact that it does not sufficiently hide plaintext patterns.

key

  • Value type is string
  • There is no default value for this setting.

The key to use

key_pad

  • Value type is string
  • Default value is "\u0000"

The character used to pad the key

key_size

  • Value type is number
  • Default value is 32

The key size to pad

It depends of the cipher algorythm.I your key don’t need padding, don’t set this parameter

Example, for AES-256, we must have 32 char long key filter { cipher { key_size => 32 }

mode (required setting)

  • Value type is string
  • There is no default value for this setting.

Encrypting or decrypting some data

Valid values are encrypt or decrypt

remove_field

  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:

filter {
  cipher {
    remove_field => [ "foo_%{somefield}" ]
  }
}

# You can also remove multiple fields at once:

filter {
  cipher {
    remove_field => [ "foo_%{somefield}" "my_extraneous_field" ]
  }
}

If the event has field “somefield” == “hello” this filter, on success, would remove the field with name “foo_hello” if it is present. The second example would remove an additional, non-dynamic field.

remove_tag

  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax. Example:

filter {
  cipher {
    remove_tag => [ "foo_%{somefield}" ]
  }
}

# You can also remove multiple tags at once:

filter {
  cipher {
    remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
  }
}

If the event has field “somefield” == “hello” this filter, on success, would remove the tag “foo_hello” if it is present. The second example would remove a sad, unwanted tag as well.

source

  • Value type is string
  • Default value is "message"

The field to perform filter

Example, to use the @message field (default) :

filter { cipher { source => "message" } }

tags DEPRECATED

  • DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
  • Value type is array
  • Default value is []

Only handle events with all/any (controlled by include_any config option) of these tags. Optional.

target

  • Value type is string
  • Default value is "message"

The name of the container to put the result

Example, to place the result into crypt :

filter { cipher { target => "crypt" } }

type DEPRECATED

  • DEPRECATED WARNING: This config item is deprecated. It may be removed in a further version.
  • Value type is string
  • Default value is ""

Note that all of the specified routing options (type,tags.exclude_tags,include_fields,exclude_fields) must be met in order for the event to be handled by the filter. The type to act on. If a type is given, then this filter will only act on messages with the same type. See any input plugin’s “type” attribute for more. Optional.


This is documentation from lib/logstash/filters/cipher.rb