Trying to decrypt data but it is not working as expected

Elastic Stack Logstash
1

Below is my config
input {
file {
path => "C:/logstash-7.16.2/data/input/test*.json"
start_position => "beginning"
sincedb_path => "null"
}
}

filter {
json {
source => "message"
target => "document"
}
mutate {
add_field => {

									"Company"=>"%{[document][company]}"
									"Submit_Date_format"=>"%{[document][created_on]}"
									"Status_state"=>"%{[document][status]}"
									"Last_Modified_Date_format"=>"%{[document][updated_on]}"			
				}
		}
mutate{
	add_field => {
	"document_id" => "%{company}"						
				}
	}
ruby { code => 'event.set("decoded_company", Base64.decode64(event.get("Company"})))' }

}

output {
stdout { }
elasticsearch {
index => "client_test_index"
hosts => ["${ES_HOST}"]
action => "create"
doc_as_upsert => "true"
document_id => "%{document_id}"
}

}

I am getting encrypted few of the fields encrypted in JSON something like this
{"created_on":"2023-11-11 10:05:01","company":"41681857db9a79d0f7f9d278f49619d3","updated_on":"2023-11-16 10:05:01","status":"open"}

I am trying to decode company using ruby code
ruby { code => 'event.set("decoded_company", Base64.decode64(event.get("Company"})))' }

But in ES index i get decrypted values as below
"decoded_company" : "�7���7�^tm�9������ߗ�",

Please help me with this
I tried ciper plugin but it does not work for our current setup

Thanks in advance

2

This looks like a base16 value, not a base64 value. Are you sure it's base64?

3

@strawgate this is my first time working with encrypted data.
So not sure what exactly we need to do.
I have tried cipher plugin but that's out of scope for us .. so need approach to go ahead so tried this one. is there any way to convert it without using cipher plugin ?

4

I think the first thing you need to confirm is how your data is "encrypted". Base64 and Base16 are not methods of encryption, they are methods of encoding.

So the first question to figure out is, is your data encrypted or encoded? The second question is what algorithm/cipher is being used to encrypt or encode the data? Is there a decryption key?

Without the answers to these two questions it'll be difficult to assist.

5

Thanks @strawgate I'll get these details and then please help me with this

6

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.