Logstash Fingerprint Plugin Target Unchanged

HI all,

Needing some help with using the Fingerprint plugin.

I use the fingerprint plugin to generate a SHA-1 signature using a base string and a key. My logstash config file is like so:

mutate {
  add_field {
    "signature" => ""
    "signature_key" => XYZ
    "base_string" => ABC&DEF&GHI
  }
}

...

  fingerprint {
    ecs_compatibility => "disabled"
    method => "SHA1"
    key => "%{signature_key}"
    source => ["%{base_string}"]
    target => "signature"
    add_field => { "sha_success" => "yay" }
  }

...

output {
    stdout { codec => rubydebug }
}

Upon inspection in the terminal when running the config file:

"signature" => ""
...
"sha_success" => "yay"

when I am expecting "signature" to be.. a signature.

Is there something wrong with how I am calling the fingerprint plugin?

EDIT: I am using Logstash 8.11.1, tested on Logstash 8.12 and same outcome

The source option needs to be the field name.

The name(s) of the source field(s) whose contents will be used to create the fingerprint.

So you should use it like this:

source => ["base_string"]

Also, I'm not sure that using %{signature_key} in the key option would get the value of the signature_key or use the literal value of %{signature_key} as the key, didn't look at the code to confirm, not every option in every filter will support sprintf of fields.

I would use the key directly in the filter to avoid any mistakes, you there is no need to create an empty signature field.

Yes. Adding to what Leandro said, the filter does not sprintf the value of the source option. It just iterates over the members of the array. If no such field exists then the filter is a no-op.

It also does not sprintf the key option. But I would question why you are using the key option at all. Do you really need a message authentication code rather than a hash? A key is a shared secret that the receiver of the fingerprint can use to authenticate it. If you just need a hash then do not set the key option.

Hi all, thanks for the response :slight_smile: I was indeed using the source field incorrectly. For context I am trying to use OAUth1 to generate a SHA1 signature within Logstash

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.