HMAC Hash Log in Pipeline

syntax · May 4, 2021, 3:16am

Hi all,

I need to do integrity check on my log data to make sure it wasn’t tempered with.
It’s using filebeat.
Is there a hash_hmac function in pipeline? I only see sha256.

Ideally, it should be something like,
hash_hmac('sha256', $logdata, $key);

shoothub · May 4, 2021, 12:13pm

There are more than sha256 pipeline function like md5, sha1, sha256, crc32, crc32c, murmur3_32, murmur3_128. Maybe this would work for you?

rule "digest check"
when
    sha256(to_string($message.message)) == to_string($message.digest)
then
    set_field("digest_ok", true)
end

syntax · May 4, 2021, 2:08pm

not really…it has to be hmac sha256…with a key.

system · May 18, 2021, 2:08pm

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Graylog for Integrity Log Hashing Graylog Central (peer support) pipeline-rules	3	2225	June 9, 2020
Anti tamper option Graylog Central (peer support)	10	798	February 7, 2022
Access to previous message in pipeline rule Graylog Central (peer support)	3	215	June 8, 2023
Noob ISO Pipeline Help Graylog Central (peer support) pipeline-rules	7	553	August 6, 2020
Graylog Rules and Pipeline not working Graylog Central (peer support) pipeline-rules	1	565	April 26, 2018

HMAC Hash Log in Pipeline

Related topics