How do I encrypt multiple fields?

wakame · March 29, 2018, 7:50pm

how do I encrypt multiple fields?

cipher{
source => "field1"
target => "field1"
}
cipher{
source => "field2"
target => "field2"
}
cipher{
source => "field3"
target => "field3"
}

yaauie · March 29, 2018, 9:29pm

Disclaimer: the cipher plugin was not authored by or audited by security professionals; as stated in the project license, you use it at your own risk.

The cipher plugin accepts a single string field as input for either encryption or decryption, and outputs to a single field as a string; if you wish for a more structured payload and have a nested structure at key foo, you can use something like the json_encode filter to create a string field that represents that structured data.

I prefer my field names to indicate to me what they hold, instead of overwriting, so I would do something like the following.

filter {
  # setup; placing a structured map in the event
  mutate {
    add_field => {
      "[foo][bar]" => "fubar"
      "[foo][baz]" => 17
    }
  }
  # `[foo]` is a map containing keys "bar" and "baz"

  json_encode {
    source => "[foo]"
    target => "[foo_json]"
    remove_field => "[foo]"
  }
  # `[foo_json]` is a string json representation of a map

  cipher {
    # ...
    source => "[foo_json]"
    target => "[foo_json_cipher]"
    remove_field => "[foo_json]"
  }
  # `[foo_json_cipher]` is a string representing the result of passing json through the cipher filter

}

wakame · March 31, 2018, 4:02am

This is what I'm trying to do. I can't seem to get anyone of them encrypted.

if [type] == "route" {
cipher {
algorithm => "AES-256-CBC-HMAC-SHA256"
iv_random_length => 16 key => "xxxx"
key_size => 32 mode => "encrypt"
source => "request_http_headers"
target => "request_http_headers_enc"
base64 => true max_cipher_reuse => 1000
}
cipher {
algorithm => "AES-256-CBC-HMAC-SHA256"
iv_random_length => 16 key => "xxxxx"
key_size => 32 mode => "encrypt"
source => "response_body"
target => "response_body_enc"
base64 => true max_cipher_reuse => 1000
}
cipher {
algorithm => "AES-256-CBC-HMAC-SHA256"
iv_random_length => 16 key => "xxxxxx"
key_size => 32 mode => "encrypt"
source => "request_body"
target => "request_body_enc"
base64 => true max_cipher_reuse => 1000
}
cipher {
algorithm => "AES-256-CBC-HMAC-SHA256"
iv_random_length => 16 key => "xxxxxx"
key_size => 32 mode => "encrypt"
source => "response_http_headers"
target => "response_http_headers_enc"
base64 => true max_cipher_reuse => 1000
}
json {
source => "message"
remove_field => ["message"]
}
mutate {
remove_field => ["request_http_headers"]
}
}

yaauie · March 31, 2018, 6:12pm

What is happening, and how us that different from what you expect?

Is AES-256-CBC-HMAC-SHA256 a supported algorithm, or supported way of referencing that algorithm on your system?
do the logs reveal anything interesting?

system · April 28, 2018, 6:12pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.