Logstash and fingerprint

vincent2mots · July 24, 2024, 8:38am

Hi there!

I would like to use the fingerprint plugin to manage the authenticity of a document.

When I try to use the the fingerprint on the field agent, it works well :

  fingerprint {
	source => ["agent"]
	concatenate_sources => false
	method => "SHA256"
	target => "hash"
  }

I can compare the hash field with the agent field and it works.

However, when I try with the message field, the value is not what I expected :

  fingerprint {
	source => ["message"]
	concatenate_sources => false
	method => "SHA256"
	target => "hash"
  }

The value of the message field :

66.249.73.135 - - [20/May/2015:21:05:59 +0000] "GET /blog/tags/wine HTTP/1.1" 200 10021 "-" "Mozilla/5.0 (iPhone; CPU iPhone OS 6_0 like Mac OS X) AppleWebKit/536.26 (KHTML, like Gecko) Version/6.0 Mobile/10A5376e Safari/8536.25 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)"

The fingerpring generated by Logstash :

cd1b4eeae9d2935f28f19ebee811cb6a4fcf57269a8abb1535ba5a033fae11a3

The fingerprint made from an online tool to compare :

1fdc3bcf0be34ec29817e7d5fd19262febd0cba1dd4633f2e5f239d1935a1cbf

Why there is a difference? Am I missing something?

Best regards,

Badger · July 24, 2024, 12:36pm

Your input file has DOS line endings and your message field has \r at the end of it. That results in the "cd1b...11a3" hash. Try

mutate { gsub => [ "message", "\r", "" ] }

vincent2mots · July 24, 2024, 12:51pm

Thanks @Badger , it was that!