Hi all,
Curious, GL has the capability to hash through pipelines that eventually get indexed. Correct? Is there a way to check whether that capability has been implemented? What is a pipeline in this context, and how is it being hashed? Where can we see the hashes to check whether an indexed set of logs have matching hashes? If configured/possible, does it alert if an alteration to the logs have been made?
Thank you
Jenn
Hi @cattpla,
there is nothing ready to use. You have to do it all by hand. But here is what I did just now:
rule "create sha512 of message"
when
has_field("message")
then
let hash = sha512(to_string($message.message));
set_field("hash_sha512", hash);
end
And add the rule to a pipeline connected to a stream.
Now the messages will get a new field containing the hash.
rule "validate sha512 of message"
when
has_field("message")
then
let hash = sha512(to_string($message.message));
let saved_hash = to_string($message.hash_sha512);
let valid = hash == saved_hash;
set_field("valid_message", to_bool(valid));
end
This pipeline I use for a decorator, which means the second field valid_message will not be stored
permanently but only displayed in a message table.
Now I can see in the message table if the message has still the same checksum.
But to be honest, this is not really adding security. If an attacker can manipulate the message in your elasticsearch, then he can change the stored checksum as well.
- Konrad
Wow! Thank you for the incredible response and opinion. This will certainly help with the decision making process.
Jenn
This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.
