Cipher filter plugin

The cipher algorithm to use for encryption and decryption operations.

A list of supported algorithms depends on the versions of Logstash, JRuby, and Java this plugin is running in, but can be obtained by running:

    cd $LOGSTASH_HOME # <-- your Logstash distribution root
    bin/ruby -ropenssl -e 'puts OpenSSL::Cipher.ciphers'

Enables or disables padding in encryption operations.

In encryption operations with block-ciphers, the input plaintext must be an exact multiple of the cipher’s block-size unless padding is enabled.

Disabling padding by setting this value to 0 will cause this plugin to fail to encrypt any input plaintext that doesn’t strictly adhere to the algorithm's block size requirements.

    filter { cipher { cipher_padding => 0 }}

In encryption operations, this plugin generates a random Initialization Vector (IV) per encryption operation. This is a standard best-practice to ensure that the resulting ciphertexts cannot be compared to infer equivalence of the source plaintext. This unique IV is then prepended to the resulting ciphertext before it is stored, ensuring it is available to any process that needs to decrypt it.

In decryption operations, the IV is assumed to have been prepended to the ciphertext, so this plugin needs to know the length of the IV in order to split the input appropriately.

The size of the IV is generally dependent on which algorithm is used. AES Algorithms generally use a 16-byte IV:

    filter { cipher { iv_random_length => 16 }}

The key to use for encryption and decryption operations.

"java.security.InvalidKeyException: Illegal key size: possibly you need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JRE"

Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto

The character used to pad the key to the required key_size.

The cipher’s required key size, which depends on which algorithm you are using. If a key is specified with a shorter value, it will be padded with key_pad.

Example, for AES-128, we must have 16 char long key. AES-256 = 32 chars

    filter { cipher { key_size => 16 }

If this value is set, the internal Cipher instance will be re-used up to max_cipher_reuse times before it is re-created from scratch. This is an option for efficiency where lots of data is being encrypted and decrypted using this filter. This lets the filter avoid creating new Cipher instances over and over for each encrypt/decrypt operation.

This is optional, the default is no re-use of the Cipher instance and max_cipher_reuse = 1 by default

    filter { cipher { max_cipher_reuse => 1000 }}

The name of the source field.

Example, to use the message field (default) :

    filter { cipher { source => "message" } }

The name of the target field to put the result:

Example, to place the result into crypt:

    filter { cipher { target => "crypt" } }

If this filter is successful, add any arbitrary fields to this event. Field names can be dynamic and include parts of the event using the %{field}.

Example:

    filter {
      cipher {
        add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
      }
    }

    # You can also add multiple fields at once:
    filter {
      cipher {
        add_field => {
          "foo_%{somefield}" => "Hello world, from %{host}"
          "new_field" => "new_static_value"
        }
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add field foo_hello if it is present, with the value above and the %{host} piece replaced with that value from the event. The second example would also add a hardcoded field.

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      cipher {
        add_tag => [ "foo_%{somefield}" ]
      }
    }

    # You can also add multiple tags at once:
    filter {
      cipher {
        add_tag => [ "foo_%{somefield}", "taggedy_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add a tag foo_hello (and the second example would of course add a taggedy_tag tag).

Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 cipher filters. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

    filter {
      cipher {
        id => "ABC"
      }
    }

Call the filter flush method at regular interval. Optional.

If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:

    filter {
      cipher {
        remove_field => [ "foo_%{somefield}" ]
      }
    }

    # You can also remove multiple fields at once:
    filter {
      cipher {
        remove_field => [ "foo_%{somefield}", "my_extraneous_field" ]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the field with name foo_hello if it is present. The second example would remove an additional, non-dynamic field.

If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      cipher {
        remove_tag => [ "foo_%{somefield}" ]
      }
    }

    # You can also remove multiple tags at once:
    filter {
      cipher {
        remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the tag foo_hello if it is present. The second example would remove a sad, unwanted tag as well.