How can we decrypt JWT based cookies in logstash and


(salil) #1

I have nginx logs in json format which has incoded JWT auth_cookie field. How can i parse auth_cookie field in logstash so i can parse the auth_email value from auth_cookie field to send it elastic search. i check https://www.elastic.co/guide/en/logstash/current/plugins-filters-cipher.html. I am not sure how we can use this.
my log format is

{ "@version": "1", "@timestamp": "2018-06-06T20:27:29+00:00", "auth_cookie": "JWT_COOKIE=eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1NiIsImtpZCI6ImRldiJ9.eyJleHAiOjE1MjgzMjgzNDQsInN1YiI6ImFsZXgucG9tYXRhQGhwZS5jb20iLCJyb2xlcyI6WyJhZG1pbiJdLCJ0ZW5hbnRzIjpbImhwIl0sImF1dGhlbnRpY2F0b3IiOiJsZGFwIiwicHJvZmlsZUlkIjoiIiwibmFtZSI6IkFsZXggUG9tYXRhIiwiZW1haWwiOiJhbGV4LnBvbWF0YUBocGUuY29tIiwidmVyaWZpZWRFbWFpbCI6ImFsZXgucG9tYXRhQGhwZS5jb20iLCJ1c2VySWQiOiJhbGV4LnBvbWF0YUBocGUuY29tIiwiYXV0aFR5cGUiOiJ1c2VyIiwiYWNjZXNzS2V5IjoiIiwiaXNzIjoiaW5mb3NpZ2h0LmF1dGgiLCJpYXQiOjE1MjgyODUxNDQsIm5iZiI6MTUyODI0MTk0NH0.tpkOwJhm_I328k8gLuSHN8wH-3qTjjkZ5E4hlRIpQ-2kYHOyf-QOOscYAjECFpZbV8Y9NXnih6XejLyJBfkdSKl_HH4n4nFblE-vAYmbhm-BU_dRNCaRGExk6Sbe5IC9DZ5D-xtwT40j8-EQkQ8c0SVnkbZUP0BvXkn0LwruLKSKsZ3-UYwMR30Gc822lcK8tm3oV3ZjLVIrB-IyZcvJ8iLx9cQ14tdKtFEJE79JdB5dcOHfpRDQktSLoKyIGPBuK-0RF50REdaeC3d919Kv6vcJBr21iS-TET6dhSP3u3jlmN68I-LqGBhVsxpk6LVFw6fHJmWnX8nENHelvntfiw; SESSION=8bf2b132-8350-4d1e-a2db-0dfcb1b93418", "auth_set_cookie": "", "http_accept_language": "en-US,en;q=0.9", "http_client_ip": "16.200.16.61", "http_client_user": "-", "http_host": "dev.infosight.abc.com", "http_method": "GET", "http_request_bytes": "1813", "http_request_secs": "0.016", "http_request_uri": "/auth/user/profile", "http_request_path": "/auth/user/profile", "http_request_query": "-", "http_response_bytes": "715", "http_response_content_type": "application/json", "http_referrer": "https://localhost:9090/infrastructure/storage/storeserv/systems/1203859/1203859/overview?f_sort=status.score%3Adesc&f_q=capacity.total.freeTiB%3A>%3D97%20system.location.region%3AAPJ%20system.osVersion%3A"2.3.1.298%20(MU3)"%20system.osVersion%3A"3.1.1.448%20(MU3)"", "http_scheme": "https", "http_status": "200", "http_user_agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_13_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/66.0.3359.181 Safari/537.36", "http_version": "HTTP/1.1" }


(system) #2

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.