logstash 1.5.4 cipher doesn't work

Question

logstash 1.5.4 cipher doesn't work

evarrica opened this issue 9 years ago · 2 comments

Hi,
I use logstash 1.5.4 and I have a problem with cipher plugin about decrypt mode.
Everytime the filter doesn't work and setting in verbose mode the agent shows the next message:

I tried different messages as input and also just one word:
I tried encrypt and decrypt in two cases, in the same agent o in different agent.
In the same agent the filter code is:

filter {
cipher {
algorithm => "aes-256-cbc"
key => "12345678901234567890123456789012"
mode => "encrypt"
source => "message"
target => "message_crypted"
add_field => { "crypted" => "TRUE"}
base64 => true
}

cipher {    
       algorithm => "aes-256-cbc"
       key => "12345678901234567890123456789012"    
       mode => "decrypt"
       source => "message_crypted"
       target => "message_uncrypted"
       add_field => { "encrypted" => "TRUE"}
       base64 => true
    }

}

I tried different combination but the result is always the same and I doesn'tunderstans if the problem is in the encrypt or decrypt:

with encryption I obtain this result:

original message: <13>root: [22120]: LENGTH: "323" SESSIONID:[8] "29180120" ENTRYID:[1] "1" STATEMENT:[1] "1" USERID:[8] "ECARLINI" USERHOST:[16] "INTERNO\ECARLINI" TERMINAL:[8] "ECARLINI" ACTION:[3] "100" RETURNCODE:[4] "1017" COMMENT$TEXT:[98] "Authenticated by: DATABASE; Client address: (ADDRESS=(PROTOCOL=tcp)(HOST=10.2.131.26)(PORT=50340))" OS$USERID:[8] "ecarlini"

crypted on console: \x190^G\x85\x16}\xA9#\xB8\xEC\xA5Z\xBF7\xF29\xC4k%H\xBA\x01RU\xA8\x8A-{\x97\x19\x80\xD8\xCB\x9C\xA1\e|\xC7\x16#a\x8A\xC4\r\xF4$1Ku\x83\xD5\x98N\x8C\xC7eS\xE0\xC9\xF0\xF1\xE7gW\x0E\xEFU\xFC\r\xE9\xFA\x90&\xAF\x04Z\x88]!\xBB\xAD\xD8\xB4\xE9\xE2\x9Cw\x8BC\x06\x97\x00\x9B\xC8\xC5\x87\x8C\xD7\xFD$\xBEn\xB5(\xE6\xA6\x9B\xA0DX\xC8\xBD\x8F\xCB\x8F\xBF\x8EV\xCAF5\veCtc\x06\xC7.\x13\xB7Zv\x06\xF2\xED\xB8\xC1M:\x19]t\x93@\x03\x98\xDA4\t\x95\xF7\xCEh0\x0E\xF1'\r@\x0E,L\x83v\xA4aF)\xE8\xAA\xE6\x93\xB6\xF63\x16\x8C\xAD\fg\xE34\xA9\t^\xAF\xA7\x98\x16\xCE\x1F\x9B\xC91\xAB\x87\x9E\xE1\xB8^\xF5O\xA9/\xA5\x91\x98\xE4ZZ\xFF\x8E\x80~;\xB3\x8E\xBE\xA8\xF8\xDE\xBAj\xE3\x15~\xD1\x87\xC1\xC6\xC0\v]#F\x161\xF3[\x16c\xFDYn\xDD\x8E\x95\xEE\xC3\xFB\xA6\xA9\xECu

crypted on elasticsearch:
0^G��}©#¸ì¥Z¿7ò9Äk%Hº�RU¨�-{��ØË�¡�|Ç�#a�Ä
ô$1Ku�Õ�N�ÇeSàÉðñçgW�ïUü
éú�&¯�Z�]!»Ø´éâ�w�C��ÈÅ��×ý$¾nµ(æ¦� DXÈ½�Ë�¿�VÊF5�eCtc�Ç.�·Zv�òí¸ÁM:�]t�@��Ú4 �÷Îh0�ñ'
@�,L�v¤aF)èªæ�¶ö3��gã4© ^¯§��Î��É1«��á¸^õO©/¥��äZZÿ��~;³�¾¨øÞºjã�~Ñ�ÁÆÀ�]#F�1óß�¥«Fîì¹Däox%¶�ÈóùlìØ��%�7¯k&9Ö¡³_Ý�«Ì'T?�q§T¹§0ÎB�W�ó|�+%�Ø°×<� y{Ö3aåáà��Ø�mäzd»·ÁõêÜ§�ç�¯ê ��g$ Ôd©�Xe«�n¥V"7�þùäÈ�üZþlNo

thanks Emanuele

Answer 1 · 2015-09-04T12:16:58.000Z

Try using the version from this PR #3

Answer 2 · 2016-01-27T17:55:39.000Z

@evarrica this should be fixed by 2.0.3 https://github.com/logstash-plugins/logstash-filter-cipher/releases/tag/v2.0.3