For other versions, see theVersioned plugin docs.
For plugins not bundled by default, it is easy to install by running bin/logstash-plugin install logstash-filter-cipher
. See Working with plugins for more details.
For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github.For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
This filter parses a source and apply a cipher or decipher beforestoring it in the target.
This plugin supports the following configuration options plus the Common Options described later.
Setting | Input type | Required |
---|---|---|
Yes |
||
No |
||
No |
||
No |
||
No |
||
<<,>> |
No |
|
No |
||
No |
||
Yes |
||
No |
||
No |
Also see Common Options for a list of options supported by allfilter plugins.
The cipher algorithm
A list of supported algorithms can be obtained by
puts OpenSSL::Cipher.ciphers
true
Do we have to perform a base64
decode or encode?
If we are decrypting, base64
decode will be done before.If we are encrypting, base64
will be done after.
Cipher padding to use. Enables or disables padding.
By default encryption operations are padded using standard block paddingand the padding is checked and removed when decrypting. If the padparameter is zero then no padding is performed, the total amount of dataencrypted or decrypted must then be a multiple of the block size or anerror will occur.
See EVP_CIPHER_CTX_set_padding for further information.
We are using Openssl jRuby which uses default padding to PKCS5PaddingIf you want to change it, set this parameter. If you want to disableit, Set this parameter to 0
filter { cipher { cipher_padding => 0 }}
Force an random IV to be used per encryption invocation and specifythe length of the random IV that will be generated via:
OpenSSL::Random.random_bytes(int_length)
If iv_random_length is set, it takes precedence over any value set for "iv"
Enabling this will force the plugin to generate a uniquerandom IV for each encryption call. This random IV will be prepended to theencrypted result bytes and then base64 encoded. On decryption "iv_random_length" mustalso be set to utilize this feature. Random IV’s are better than staticallyhardcoded IVs
For AES algorithms you can set this to a 16
filter { cipher { iv_random_length => 16 }}
The key to use
If you encounter an error message at runtime containing the following:
"java.security.InvalidKeyException: Illegal key size: possibly you need to installJava Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files for your JRE"
Please read the following: https://github.com/jruby/jruby/wiki/UnlimitedStrengthCrypto
16
The key size to pad
It depends of the cipher algorithm. If your key doesn’t needpadding, don’t set this parameter
Example, for AES-128, we must have 16 char long key. AES-256 = 32 chars
filter { cipher { key_size => 16 }
1
If this is set the internal Cipher instance will bere-used up to @max_cipher_reuse times before beingreset() and re-created from scratch. This is an optionfor efficiency where lots of data is being encryptedand decrypted using this filter. This lets the filteravoid creating new Cipher instances over and overfor each encrypt/decrypt operation.
This is optional, the default is no re-use of the Cipherinstance and max_cipher_reuse = 1 by default
filter { cipher { max_cipher_reuse => 1000 }}
Encrypting or decrypting some data
Valid values are encrypt or decrypt
"message"
The field to perform filter
Example, to use the @message field (default) :
filter { cipher { source => "message" } }
"message"
The name of the container to put the result
Example, to place the result into crypt :
filter { cipher { target => "crypt" } }
The following configuration options are supported by all filter plugins:
Setting | Input type | Required |
---|---|---|
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
{}
If this filter is successful, add any arbitrary fields to this event.Field names can be dynamic and include parts of the event using the %{field}
.
Example:
filter { cipher { add_field => { "foo_%{somefield}" => "Hello world, from %{host}" } }}
# You can also add multiple fields at once:filter { cipher { add_field => { "foo_%{somefield}" => "Hello world, from %{host}" "new_field" => "new_static_value" } }}
If the event has field "somefield" == "hello"
this filter, on success,would add field foo_hello
if it is present, with thevalue above and the %{host}
piece replaced with that value from theevent. The second example would also add a hardcoded field.
[]
If this filter is successful, add arbitrary tags to the event.Tags can be dynamic and include parts of the event using the %{field}
syntax.
Example:
filter { cipher { add_tag => [ "foo_%{somefield}" ] }}
# You can also add multiple tags at once:filter { cipher { add_tag => [ "foo_%{somefield}", "taggedy_tag"] }}
If the event has field "somefield" == "hello"
this filter, on success,would add a tag foo_hello
(and the second example would of course add a taggedy_tag
tag).
true
Disable or enable metric logging for this specific plugin instanceby default we record all the metrics we can, but you can disable metrics collectionfor a specific plugin.
Add a unique ID
to the plugin configuration. If no ID is specified, Logstash will generate one.It is strongly recommended to set this ID in your configuration. This is particularly usefulwhen you have two or more plugins of the same type, for example, if you have 2 cipher filters.Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
filter { cipher { id => "ABC" }}
false
Call the filter flush method at regular interval.Optional.
[]
If this filter is successful, remove arbitrary fields from this event.Example:
filter { cipher { remove_field => [ "foo_%{somefield}" ] }}
# You can also remove multiple fields at once:filter { cipher { remove_field => [ "foo_%{somefield}", "my_extraneous_field" ] }}
If the event has field "somefield" == "hello"
this filter, on success,would remove the field with name foo_hello
if it is present. The secondexample would remove an additional, non-dynamic field.
[]
If this filter is successful, remove arbitrary tags from the event.Tags can be dynamic and include parts of the event using the %{field}
syntax.
Example:
filter { cipher { remove_tag => [ "foo_%{somefield}" ] }}
# You can also remove multiple tags at once:filter { cipher { remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"] }}
If the event has field "somefield" == "hello"
this filter, on success,would remove the tag foo_hello
if it is present. The second examplewould remove a sad, unwanted tag as well.