cipher
editcipher
editThis is a community-maintained plugin! It does not ship with Logstash by default, but it is easy to install by running bin/logstash-plugin install logstash-filter-cipher.
This filter parses a source and apply a cipher or decipher before storing it in the target.
Synopsis
editThis plugin supports the following configuration options:
Required configuration options:
cipher {
algorithm => ...
mode => ...
}
Available configuration options:
| Setting | Input type | Required | Default value |
|---|---|---|---|
No |
|
||
No |
|
||
Yes |
|||
No |
|
||
No |
|||
No |
|||
No |
|||
<<,>> |
No |
|
|
No |
|
||
No |
|
||
Yes |
|||
No |
|
||
No |
|
||
No |
|
||
No |
|
||
No |
|
Details
edit
add_field
edit- Value type is hash
-
Default value is
{}
If this filter is successful, add any arbitrary fields to this event.
Field names can be dynamic and include parts of the event using the %{field}.
Example:
filter {
cipher {
add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
}
}
[source,ruby]
# You can also add multiple fields at once:
filter {
cipher {
add_field => {
"foo_%{somefield}" => "Hello world, from %{host}"
"new_field" => "new_static_value"
}
}
}
If the event has field "somefield" == "hello" this filter, on success,
would add field foo_hello if it is present, with the
value above and the %{host} piece replaced with that value from the
event. The second example would also add a hardcoded field.
add_tag
edit- Value type is array
-
Default value is
[]
If this filter is successful, add arbitrary tags to the event.
Tags can be dynamic and include parts of the event using the %{field}
syntax.
Example:
filter {
cipher {
add_tag => [ "foo_%{somefield}" ]
}
}
[source,ruby]
# You can also add multiple tags at once:
filter {
cipher {
add_tag => [ "foo_%{somefield}", "taggedy_tag"]
}
}
If the event has field "somefield" == "hello" this filter, on success,
would add a tag foo_hello (and the second example would of course add a taggedy_tag tag).
algorithm
edit- This is a required setting.
- Value type is string
- There is no default value for this setting.
The cipher algorithm
A list of supported algorithms can be obtained by
puts OpenSSL::Cipher.ciphers
base64
edit- Value type is boolean
-
Default value is
true
Do we have to perform a base64 decode or encode?
If we are decrypting, base64 decode will be done before.
If we are encrypting, base64 will be done after.
cipher_padding
edit- Value type is string
- There is no default value for this setting.
Cipher padding to use. Enables or disables padding.
By default encryption operations are padded using standard block padding and the padding is checked and removed when decrypting. If the pad parameter is zero then no padding is performed, the total amount of data encrypted or decrypted must then be a multiple of the block size or an error will occur.
See EVP_CIPHER_CTX_set_padding for further information.
We are using Openssl jRuby which uses default padding to PKCS5Padding If you want to change it, set this parameter. If you want to disable it, Set this parameter to 0
filter { cipher { cipher_padding => 0 }}
iv (DEPRECATED)
edit- DEPRECATED WARNING: This configuration item is deprecated and may not be available in future versions.
- Value type is string
- There is no default value for this setting.
The initialization vector to use (statically hard-coded). For a random IV see the iv_random_length property
If iv_random_length is set, it takes precedence over any value set for "iv"
The cipher modes CBC, CFB, OFB and CTR all need an "initialization vector", or short, IV. ECB mode is the only mode that does not require an IV, but there is almost no legitimate use case for this mode because of the fact that it does not sufficiently hide plaintext patterns.
For AES algorithms set this to a 16 byte string.
filter { cipher { iv => "1234567890123456" }}
Deprecated: Please use iv_random_length instead
iv_random_length
edit- Value type is number
- There is no default value for this setting.
Force an random IV to be used per encryption invocation and specify the length of the random IV that will be generated via:
OpenSSL::Random.random_bytes(int_length)
If iv_random_length is set, it takes precedence over any value set for "iv"
Enabling this will force the plugin to generate a unique random IV for each encryption call. This random IV will be prepended to the encrypted result bytes and then base64 encoded. On decryption "iv_random_length" must also be set to utilize this feature. Random IV’s are better than statically hardcoded IVs
For AES algorithms you can set this to a 16
filter { cipher { iv_random_length => 16 }}
key
edit- Value type is string
- There is no default value for this setting.
The key to use
If you encounter an error message at runtime containing the following:
"java.security.InvalidKeyException: Illegal key size: possibly you need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JRE"
Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto
key_pad
edit<li> Value type is <<string,string>> * Default value is `"\u0000"`
The character used to pad the key
key_size
edit- Value type is number
-
Default value is
16
The key size to pad
It depends of the cipher algorithm. If your key doesn’t need padding, don’t set this parameter
Example, for AES-128, we must have 16 char long key. AES-256 = 32 chars
filter { cipher { key_size => 16 }
max_cipher_reuse
edit- Value type is number
-
Default value is
1
If this is set the internal Cipher instance will be re-used up to @max_cipher_reuse times before being reset() and re-created from scratch. This is an option for efficiency where lots of data is being encrypted and decrypted using this filter. This lets the filter avoid creating new Cipher instances over and over for each encrypt/decrypt operation.
This is optional, the default is no re-use of the Cipher instance and max_cipher_reuse = 1 by default
filter { cipher { max_cipher_reuse => 1000 }}
mode
edit- This is a required setting.
- Value type is string
- There is no default value for this setting.
Encrypting or decrypting some data
Valid values are encrypt or decrypt
periodic_flush
edit- Value type is boolean
-
Default value is
false
Call the filter flush method at regular interval. Optional.
remove_field
edit- Value type is array
-
Default value is
[]
If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:
filter {
cipher {
remove_field => [ "foo_%{somefield}" ]
}
}
[source,ruby]
# You can also remove multiple fields at once:
filter {
cipher {
remove_field => [ "foo_%{somefield}", "my_extraneous_field" ]
}
}
If the event has field "somefield" == "hello" this filter, on success,
would remove the field with name foo_hello if it is present. The second
example would remove an additional, non-dynamic field.
remove_tag
edit- Value type is array
-
Default value is
[]
If this filter is successful, remove arbitrary tags from the event.
Tags can be dynamic and include parts of the event using the %{field}
syntax.
Example:
filter {
cipher {
remove_tag => [ "foo_%{somefield}" ]
}
}
[source,ruby]
# You can also remove multiple tags at once:
filter {
cipher {
remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
}
}
If the event has field "somefield" == "hello" this filter, on success,
would remove the tag foo_hello if it is present. The second example
would remove a sad, unwanted tag as well.