Plugin cipher & Value of a field

Florent_Fauvin · June 11, 2020, 1:24pm

Hello,

I am trying to use the value of a field, but I do not know why, I have the impression that the cipher plugin cannot read it. Could you help me figure out what's wrong please?

Below, I stored the value of "algorithm" in "[@metadata] [algorithm]" :

OK :

input { stdin { } }

filter {

  mutate {
    add_field => { "[@metadata][encrypted]" => "gKHInKhQooaPgF7m99B465HN4Wi5+ESCjq5LTc69h/I5+/fSsEbxGjk0NpiNrpH8" }
  }

  cipher {
    algorithm => "aes-256-cbc"
      iv_random_length => 16
      key => "12345678901234567890123456789012"
      key_size => 32
      mode => "decrypt"
      source => "[@metadata][encrypted]"
      target => "[@metadata][decrypted]"
  }
}

output { stdout { codec => rubydebug { metadata => true } } }

NOT OK :

input { stdin { } }

filter {

  mutate {
    add_field => { 
    "[@metadata][encrypted]" => "gKHInKhQooaPgF7m99B465HN4Wi5+ESCjq5LTc69h/I5+/fSsEbxGjk0NpiNrpH8" 
    "[@metadata][algorithm]" => "aes-256-cbc"
    }
  }

  cipher {
    algorithm => "%{[@metadata][algorithm]}"
      iv_random_length => 16
      key => "12345678901234567890123456789012"
      key_size => 32
      mode => "decrypt"
      source => "[@metadata][encrypted]"
      target => "[@metadata][decrypted]"
  }
}

output { stdout { codec => rubydebug { metadata => true } } }

Thank you so much,

Florent

Florent_Fauvin · June 11, 2020, 1:28pm

[ERROR] 2020-06-11 15:14:22.767 [[main]-pipeline-manager] javapipeline - Pipeline aborted due to error {:pipeline_id=>"main", :exception=>#<OpenSSL::Cipher::CipherError: unsupported cipher algorithm (%{[@METADATA][ALGORITHM]}/CBC/PKCS5Padding)>

Badger · June 11, 2020, 2:10pm

The cipher filter does not sprintf the algorithm. It just uses the literal value.

Florent_Fauvin · June 11, 2020, 2:14pm

What do you mean ?

I must write a "string" directly, and that I cannot use the value of a field ?

Badger · June 11, 2020, 2:19pm

That is correct. A reference to a field like

algorithm => "%{[@metadata][algorithm]}"

is called a sprintf reference, and the filter or output would resolve it by calling a method called sprintf. That is typically done on fields that the plugin is setting, not inputs to the plugin.

Florent_Fauvin · June 11, 2020, 2:24pm

OK !

I want to use cipher plugin more than once in my pipeline, and I don't want to write "algorithm / key / iv" every time. I wanted to centralize these parameters at the beginning of the file.

I feel like I can't do it, can I ?
Do you have another idea to avoid duplicating all these parameters throughout the file?

Badger · June 11, 2020, 3:13pm

No, I cannot think of a way to avoid the duplication.

system · July 9, 2020, 3:13pm

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
How do I encrypt multiple fields? Logstash	4	1458	April 28, 2018
Problem in using filter-cipher Logstash	3	1174	July 6, 2017
Cipher plugin binary key Logstash	1	243	July 9, 2020
Ruby filter plugin does not read new field values Logstash	9	567	October 3, 2021
Trying to decrypt data but it is not working as expected Logstash	5	117	February 26, 2024

Plugin cipher & Value of a field

Related topics