Logstash Fingerprint Plugin Target Unchanged

Cheese · February 1, 2024, 5:45am

HI all,

Needing some help with using the Fingerprint plugin.

I use the fingerprint plugin to generate a SHA-1 signature using a base string and a key. My logstash config file is like so:

mutate {
  add_field {
    "signature" => ""
    "signature_key" => XYZ
    "base_string" => ABC&DEF&GHI
  }
}

...

  fingerprint {
    ecs_compatibility => "disabled"
    method => "SHA1"
    key => "%{signature_key}"
    source => ["%{base_string}"]
    target => "signature"
    add_field => { "sha_success" => "yay" }
  }

...

output {
    stdout { codec => rubydebug }
}

Upon inspection in the terminal when running the config file:

"signature" => ""
...
"sha_success" => "yay"

when I am expecting "signature" to be.. a signature.

Is there something wrong with how I am calling the fingerprint plugin?

EDIT: I am using Logstash 8.11.1, tested on Logstash 8.12 and same outcome

leandrojmp · February 1, 2024, 10:37am

Cheese:

  fingerprint {
    ecs_compatibility => "disabled"
    method => "SHA1"
    key => "%{signature_key}"
    source => ["%{base_string}"]
    target => "signature"
    add_field => { "sha_success" => "yay" }
  }

The source option needs to be the field name.

The name(s) of the source field(s) whose contents will be used to create the fingerprint.

So you should use it like this:

source => ["base_string"]

Also, I'm not sure that using %{signature_key} in the key option would get the value of the signature_key or use the literal value of %{signature_key} as the key, didn't look at the code to confirm, not every option in every filter will support sprintf of fields.

I would use the key directly in the filter to avoid any mistakes, you there is no need to create an empty signature field.

Badger · February 1, 2024, 6:32pm

Yes. Adding to what Leandro said, the filter does not sprintf the value of the source option. It just iterates over the members of the array. If no such field exists then the filter is a no-op.

It also does not sprintf the key option. But I would question why you are using the key option at all. Do you really need a message authentication code rather than a hash? A key is a shared secret that the receiver of the fingerprint can use to authenticate it. If you just need a hash then do not set the key option.

Cheese · February 1, 2024, 9:44pm

Hi all, thanks for the response I was indeed using the source field incorrectly. For context I am trying to use OAUth1 to generate a SHA1 signature within Logstash

system · February 29, 2024, 9:44pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
[Solved] Fingerprint does not work as expected II Logstash	7	2383	July 6, 2017
Logstash and fingerprint Logstash	2	30	July 24, 2024
Query about Fingerprinting plugin - What exactly does it include when source is set to one field? Logstash	1	560	September 29, 2017
Fingerprint plugin not working properly Logstash	5	165	April 5, 2024
Fingerprint option in logstash filter not working properly? Logstash	10	933	February 21, 2022

Logstash Fingerprint Plugin Target Unchanged

Related Topics