Remove password but keep username in http authorization header

Is it possible to strip out the password from the authorization header but retain the username somehow? I use basic auth for some web apps and want to keep the username of who is accessing but strip out the password from being saved/sent over the wire more.

No, this is currently not possible. Feel free to add an enhancement request to github.com/elastic/beats or create a PR.

There is the redact_authorization configuration option that removes the entire header (Authorization and Proxy-Authorization), not only the password.

Additionally it is possible to censor all the passwords from the request URI and the attached form by using hide_keywords configuration option. We could extend this feature to censor also the headers. Please open a feature request here.

Another option would be to use the grok patterns from Logstash to censor the password and keep the username from the Authorization header. You can configure Packetbeat to send the data compressed and encrypted to Logstash by configuring TLS. I hope this helps!

Thanks, this is what i ended up doing. I didn't test much but for completeness/efficiency (colon in password?) but here is for anyone else what i started with, most stolen from around the web that i forgot where i got it from.

filter {
if [http][request_headers][authorization] =~ /^Basic/ {
grok {
match => ["[http][request_headers][authorization]", "Basic %{GREEDYDATA:b64}"]
}
ruby {
init => "require 'base64'"
code => "event['b64_decoded'] = Base64.decode64(event['b64']) if event.include?('b64')"
}
mutate {
gsub => [ "b64_decoded", ":.*", "" ]
}
mutate {
update => { "[http][request_headers][authorization]" => "%{b64_decoded}" }
remove_field => [ "b64_decoded", "b64" ]
}
}
}
}