Variable string empty in ruby filter

Hello,

I am using ELK 5.6 (for several reasons)

I dont not succeed to assign a variable string using this ruby code:

      s = event.get("[sigfox][data]")
      tab = s.split(/(\w{2})(\w{2})(\w{20})/)

      pack_id      = tab[1]
      aes_cnt      = tab[2]
      data_enc     = tab[3]
      
      aes_iv = ""
      for i in 1..16 do
        aes_iv = aes_iv + aes_cnt
      end
      #puts aes_iv

      decipher = OpenSSL::Cipher::AES.new(128, :CTR)
      decipher.decrypt
      
      key = "0F93FE9F47266737B2981718E71D2FAA"
      iv  = aes_iv

      # convert value to HEX
      decipher.key = [key].pack("H*")
      event.set("[dkey]", decipher.key)

      decipher.iv = [iv].pack("H*")
      event.set("[d4]", decipher.iv)
      
      data = [data_enc].pack("H*")
      event.set("[data]", data)

      #plain = decipher.update(data) + decipher.final
      plain = decipher.update(data)
      #plain = decipher.final
      
      data_decoded = plain.unpack("H*").first
      event.set("[data_decoded]", data_decoded) 

=> data_decoded field in elasticsearch is empty

Using the same code outside logstash in pure ruby script it works so I guess the problem is located on the event.set method.

#!/usr/bin/ruby
#
require 'openssl'
require 'base64'

s = "c03e9f1ca2d995d26263ed1d"
tab = s.split(/(\w{2})(\w{2})(\w{20})/)
pack_id = tab[1]
aes_cnt = tab[2]
data_enc = tab[3]
puts pack_id
puts aes_cnt
puts data_enc

aes_iv = ""
for i in 1..16 do
aes_iv = aes_iv + aes_cnt
end

#puts aes_iv
decipher = OpenSSL::Cipher::AES.new(128, :CTR)
decipher.decrypt
key = "0F93FE9F47266737B2981718E71D2FAA"
iv = aes_iv

# convert value to HEX
decipher.key = [key].pack("H*")
decipher.iv = [iv].pack("H*")
data = [data_enc].pack("H*")
plain = decipher.update(data)
#plain = decipher.final
data_decoded = plain.unpack("H*").first
puts data_decoded

Results:
]# ./script.rb
test
c0
3e
9f1ca2d995d26263ed1d
4020e69600000000f075
f075
00000000
96
e6
4020
38630 => 'data_decoded' variable

Any idea?

BR

I have added a test:

      if plain.empty?
        data_decoded = 'empty'
      elsif plain.blank?
        data_decoded = 'blank'
      else
        data_decoded = plain.unpack('H*').first
      end

Result:

If I use this line only:
plain = decipher.update(data)
I got no ruby error but field is empty
"data_decoded" => "empty",

If I use this line:
plain = decipher.update(data) + decipher.final
I got a ruby error:
Ruby exception occurred: last block incomplete in decryption

Dont know how to solve this

Just tested on a recent version of ELK and it works.
So I have my root cause.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.