How to mask the content which will be available in persistence queue file

Elastic Stack Logstash
1

Hello Team,

We are using Logstash (8.11.3) in our monitoring to receive data from different source systems (via Filebeat, Metricbeat, and Winlogbeat). On the Logstash side, we are using a persistence queue. Since, Logstash persistent queues store events on disk, which is "at rest”.
Recently, a security audit was conducted in our organization, and it was required to mask the content stored in the persistent queue files.

As per the current setup, with root privilege user can read (cat page file) information from the persistent queue files.

Is there any functionality or feature available on the Logstash that can help us mask the content which will be get stored in the persistent queue files?

It would be great if I get any response!

Thank You,
Siva

2

There is not.

3

@leandrojmp - thanks for your response!

does any one have any other alternate ideas to achieve this ? I mean not with Logstash. Any other solutions to encrypt the persistent files at rest?

4

I don't think this is possible, if you encrypt the files using an external tool, Logstash will not be able to write or read on the persistent queue.

Any change made to the persistent queue files from external tools may lead to corruption of those files.

5

If you need to protect against a privileged user reading the files then it's not something a tool like logstash can do. You need an OS designed from the ground up to protect against this. For example, some systems can specify which executables can access a file, what time of day or day of the week they can do it, and which users can run the executable. But that is all external to logstash.

6

Ok @leandrojmp - thanks for your explanation

7

I would seriously look at Spark for doing this: pyspark.pandas.DataFrame.mask

8

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.