Cipher filter plugin
editCipher filter plugin
edit- Plugin version: v4.0.1
- Released on: 2020-09-23
- Changelog
For other versions, see the Versioned plugin docs.
Installation
editFor plugins not bundled by default, it is easy to install by running bin/logstash-plugin install logstash-filter-cipher
. See Working with plugins for more details.
Getting Help
editFor questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
Description
editThis filter parses a source and apply a cipher or decipher before storing it in the target.
Prior to version 4.0.1, this plugin was not thread-safe and could not safely be used with multiple pipeline workers.
Cipher Filter Configuration Options
editThis plugin supports the following configuration options plus the Common Options described later.
Setting | Input type | Required |
---|---|---|
Yes |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
Yes |
||
No |
||
No |
Also see Common Options for a list of options supported by all filter plugins.
algorithm
edit- This is a required setting.
- Value type is string
- There is no default value for this setting.
The cipher algorithm to use for encryption and decryption operations.
A list of supported algorithms depends on the versions of Logstash, JRuby, and Java this plugin is running in, but can be obtained by running:
cd $LOGSTASH_HOME # <-- your Logstash distribution root bin/ruby -ropenssl -e 'puts OpenSSL::Cipher.ciphers'
base64
edit- Value type is boolean
-
Default value is
true
-
Unless this option is disabled:
-
When
mode => encrypt
, the source ciphertext will bebase64
-decoded before it is deciphered. -
When
mode => decrypt
, the result ciphertext will bebase64
-encoded before it is stored.
-
When
cipher_padding
edit-
Value type is string
-
0
: meansfalse
-
1
: meanstrue
-
- There is no default value for this setting.
Enables or disables padding in encryption operations.
In encryption operations with block-ciphers, the input plaintext must be an exact multiple of the cipher’s block-size unless padding is enabled.
Disabling padding by setting this value to 0
will cause this plugin to
fail to encrypt any input plaintext that doesn’t strictly adhere to the
algorithm
's block size requirements.
filter { cipher { cipher_padding => 0 }}
iv_random_length
edit- Value type is number
- There is no default value for this setting.
In encryption operations, this plugin generates a random Initialization Vector (IV) per encryption operation. This is a standard best-practice to ensure that the resulting ciphertexts cannot be compared to infer equivalence of the source plaintext. This unique IV is then prepended to the resulting ciphertext before it is stored, ensuring it is available to any process that needs to decrypt it.
In decryption operations, the IV is assumed to have been prepended to the ciphertext, so this plugin needs to know the length of the IV in order to split the input appropriately.
The size of the IV is generally dependent on which algorithm
is used. AES Algorithms generally use a 16-byte IV:
filter { cipher { iv_random_length => 16 }}
key
edit- Value type is string
- There is no default value for this setting.
The key to use for encryption and decryption operations.
If you encounter an error message at runtime containing the following:
"java.security.InvalidKeyException: Illegal key size: possibly you need to install Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JRE"
Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto
key_pad
edit- Value type is string
-
Default value is
"\u0000"
The character used to pad the key to the required key_size
.
key_size
edit- Value type is number
-
Default value is
16
The cipher’s required key size, which depends on which algorithm
you are using. If a key
is specified with a shorter value,
it will be padded with key_pad
.
Example, for AES-128, we must have 16 char long key. AES-256 = 32 chars
filter { cipher { key_size => 16 }
max_cipher_reuse
edit- Value type is number
-
Default value is
1
If this value is set, the internal Cipher instance will be
re-used up to max_cipher_reuse
times before it is re-created
from scratch. This is an option
for efficiency where lots of data is being encrypted
and decrypted using this filter. This lets the filter
avoid creating new Cipher instances over and over
for each encrypt/decrypt operation.
This is optional, the default is no re-use of the Cipher instance and max_cipher_reuse = 1 by default
filter { cipher { max_cipher_reuse => 1000 }}
mode
edit- This is a required setting.
-
Value type is string
-
encrypt
: encrypts a plaintext value into IV + ciphertext -
decrypt
: decrypts an IV + ciphertext value into plaintext
-
- There is no default value for this setting.
source
edit- Value type is string
-
Default value is
"message"
The name of the source field.
-
When
mode => encrypt
, thesource
should be a field containing plaintext -
When
mode => decrypt
, thesource
should be a field containing IV + ciphertext
Example, to use the message
field (default) :
filter { cipher { source => "message" } }
target
edit- Value type is string
-
Default value is
"message"
The name of the target field to put the result:
-
When
mode => encrypt
, the IV + ciphertext result will be stored in thetarget
field -
When
mode => decrypt
, the plaintext result will be stored in thetarget
field
Example, to place the result into crypt:
filter { cipher { target => "crypt" } }
Common Options
editThe following configuration options are supported by all filter plugins:
Setting | Input type | Required |
---|---|---|
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
add_field
edit- Value type is hash
-
Default value is
{}
If this filter is successful, add any arbitrary fields to this event.
Field names can be dynamic and include parts of the event using the %{field}
.
Example:
filter { cipher { add_field => { "foo_%{somefield}" => "Hello world, from %{host}" } } }
# You can also add multiple fields at once: filter { cipher { add_field => { "foo_%{somefield}" => "Hello world, from %{host}" "new_field" => "new_static_value" } } }
If the event has field "somefield" == "hello"
this filter, on success,
would add field foo_hello
if it is present, with the
value above and the %{host}
piece replaced with that value from the
event. The second example would also add a hardcoded field.
add_tag
edit- Value type is array
-
Default value is
[]
If this filter is successful, add arbitrary tags to the event.
Tags can be dynamic and include parts of the event using the %{field}
syntax.
Example:
filter { cipher { add_tag => [ "foo_%{somefield}" ] } }
# You can also add multiple tags at once: filter { cipher { add_tag => [ "foo_%{somefield}", "taggedy_tag"] } }
If the event has field "somefield" == "hello"
this filter, on success,
would add a tag foo_hello
(and the second example would of course add a taggedy_tag
tag).
enable_metric
edit- Value type is boolean
-
Default value is
true
Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
id
edit- Value type is string
- There is no default value for this setting.
Add a unique ID
to the plugin configuration. If no ID is specified, Logstash will generate one.
It is strongly recommended to set this ID in your configuration. This is particularly useful
when you have two or more plugins of the same type, for example, if you have 2 cipher filters.
Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
filter { cipher { id => "ABC" } }
Variable substitution in the id
field only supports environment variables
and does not support the use of values from the secret store.
periodic_flush
edit- Value type is boolean
-
Default value is
false
Call the filter flush method at regular interval. Optional.
remove_field
edit- Value type is array
-
Default value is
[]
If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:
filter { cipher { remove_field => [ "foo_%{somefield}" ] } }
# You can also remove multiple fields at once: filter { cipher { remove_field => [ "foo_%{somefield}", "my_extraneous_field" ] } }
If the event has field "somefield" == "hello"
this filter, on success,
would remove the field with name foo_hello
if it is present. The second
example would remove an additional, non-dynamic field.
remove_tag
edit- Value type is array
-
Default value is
[]
If this filter is successful, remove arbitrary tags from the event.
Tags can be dynamic and include parts of the event using the %{field}
syntax.
Example:
filter { cipher { remove_tag => [ "foo_%{somefield}" ] } }
# You can also remove multiple tags at once: filter { cipher { remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"] } }
If the event has field "somefield" == "hello"
this filter, on success,
would remove the tag foo_hello
if it is present. The second example
would remove a sad, unwanted tag as well.