Http input pluginedit

  • Plugin version: v3.4.5
  • Released on: 2022-01-04
  • Changelog

For other versions, see the Versioned plugin docs.

Getting Helpedit

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Descriptionedit

Using this input you can receive single or multiline events over http(s). Applications can send an HTTP request to the endpoint started by this input and Logstash will convert it into an event for subsequent processing. Users can pass plain text, JSON, or any formatted data and use a corresponding codec with this input. For Content-Type application/json the json codec is used, but for all other data formats, plain codec is used.

This input can also be used to receive webhook requests to integrate with other services and applications. By taking advantage of the vast plugin ecosystem available in Logstash you can trigger actionable events right from your application.

Event Metadata and the Elastic Common Schema (ECS)edit

In addition to decoding the events, this input will add HTTP headers containing connection information to each event. When ECS compatibility is disabled, the headers are stored in the headers field, which has the potential to create confusion and schema conflicts downstream. When ECS is enabled, we can ensure a pipeline maintains access to this metadata throughout the event’s lifecycle without polluting the top-level namespace.

Here’s how ECS compatibility mode affects output.

ECS `disabled` ECS `v1`,`v8` Availability Description

[host]

[host][ip]

Always

Host IP address

[headers]

[@metadata][input][http][request][headers]

Always

Complete HTTP headers

[headers][http_version]

[http][version]

Always

HTTP version

[headers][http_user_agent]

[user_agent][original]

Always

client user agent

[headers][http_host]

[url][domain] and [url][port]

Always

host domain and port

[headers][request_method]

[http][method]

Always

HTTP method

[headers][request_path]

[url][path]

Always

Query path

[headers][content_length]

[http][request][body][bytes]

Always

Request content length

[headers][content_type]

[http][request][mime_type]

Always

Request mime type

Blocking Behavioredit

The HTTP protocol doesn’t deal well with long running requests. This plugin will either return a 429 (busy) error when Logstash is backlogged, or it will time out the request.

If a 429 error is encountered clients should sleep, backing off exponentially with some random jitter, then retry their request.

This plugin will block if the Logstash queue is blocked and there are available HTTP input threads. This will cause most HTTP clients to time out. Sent events will still be processed in this case. This behavior is not optimal and will be changed in a future release. In the future, this plugin will always return a 429 if the queue is busy, and will not time out in the event of a busy queue.

Securityedit

This plugin supports standard HTTP basic authentication headers to identify the requester. You can pass in a username, password combination while sending data to this input

You can also setup SSL and send data securely over https, with multiple options such as validating the client’s certificate.

Codec settingsedit

This plugin has two configuration options for codecs: codec and additional_codecs.

Values in additional_codecs are prioritized over those specified in the codec option. That is, the default codec is applied only if no codec for the request’s content-type is found in the additional_codecs setting.

Http Input Configuration Optionsedit

This plugin supports the following configuration options plus the Common Options described later.

Setting Input type Required

additional_codecs

hash

No

cipher_suites

array

No

ecs_compatibility

string

No

host

string

No

keystore

path

No

keystore_password

password

No

password

password

No

port

number

No

max_pending_requests

number

No

response_headers

hash

No

response_code

number, one of [200, 201, 202, 204]

No

ssl

boolean

No

ssl_certificate

a valid filesystem path

No

ssl_certificate_authorities

array

No

ssl_handshake_timeout

number

No

ssl_key

a valid filesystem path

No

ssl_key_passphrase

password

No

ssl_verify_mode

string, one of ["none", "peer", "force_peer"]

No

threads

number

No

tls_max_version

number

No

tls_min_version

number

No

user

string

No

verify_mode

string, one of ["none", "peer", "force_peer"]

No

Also see Common Options for a list of options supported by all input plugins.

 

additional_codecsedit

  • Value type is hash
  • Default value is {"application/json"=>"json"}

Apply specific codecs for specific content types. The default codec will be applied only after this list is checked and no codec for the request’s content-type is found

cipher_suitesedit

  • Value type is array
  • Default value is java.lang.String[TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256]@459cfcca

The list of ciphers suite to use, listed by priorities.

ecs_compatibilityedit

  • Value type is string
  • Supported values are:

    • disabled: unstructured connection metadata added at root level
    • v1,v8: headers added under [@metadata][http][header]. Some are copied to structured ECS fields http, url, user_agent and host

Controls this plugin’s compatibility with the Elastic Common Schema (ECS). See Event Metadata and the Elastic Common Schema (ECS) for detailed information.

Example output:

Sample output: ECS disabled

{
    "@version" => "1",
    "headers" => {
           "request_path" => "/twitter/tweet/1",
            "http_accept" => "*/*",
           "http_version" => "HTTP/1.1",
         "request_method" => "PUT",
              "http_host" => "localhost:8080",
        "http_user_agent" => "curl/7.64.1",
         "content_length" => "5",
           "content_type" => "application/x-www-form-urlencoded"
    },
    "@timestamp" => 2021-05-28T19:27:28.609Z,
    "host" => "127.0.0.1",
    "message" => "hello"
}

Sample output: ECS enabled

{
    "@version" => "1",
    "user_agent" => {
        "original" => "curl/7.64.1"
    },
    "http" => {
        "method" => "PUT",
        "request" => {
            "mime_type" => "application/x-www-form-urlencoded",
            "body" => {
                "bytes" => "5"
            }
        },
        "version" => "HTTP/1.1"
    },
    "url" => {
          "port" => "8080",
        "domain" => "snmp1",
          "path" => "/twitter/tweet/1"
    },
    "@timestamp" => 2021-05-28T23:32:38.222Z,
    "host" => {
        "ip" => "127.0.0.1"
    },
    "message" => "hello",
}

hostedit

  • Value type is string
  • Default value is "0.0.0.0"

The host or ip to bind

keystoreedit

  • Value type is path
  • There is no default value for this setting.
  • This option is deprecated

The JKS keystore to validate the client’s certificates

Note: This option is deprecated and it will be removed in the next major version of Logstash. Use ssl_certificate and ssl_key instead.

keystore_passwordedit

  • Value type is password
  • There is no default value for this setting.
  • This option is deprecated

Set the truststore password

Note: This option is deprecated and it will be removed in the next major version of Logstash. Use ssl_certificate and ssl_key instead.

passwordedit

  • Value type is password
  • There is no default value for this setting.

Password for basic authorization

portedit

  • Value type is number
  • Default value is 8080

The TCP port to bind to

max_content_lengthedit

  • Value type is number
  • Default value is 104857600

The max content of an HTTP request in bytes. It defaults to 100mb.

max_pending_requestsedit

  • Value type is number
  • Default value is 200

Maximum number of incoming requests to store in a temporary queue before being processed by worker threads. If a request arrives and the queue is full a 429 response will be returned immediately. This queue exists to deal with micro bursts of events and to improve overall throughput, so it should be changed very carefully as it can lead to memory pressure and impact performance. If you need to deal both periodic or unforeseen spikes in incoming requests consider enabling the Persistent Queue for the logstash pipeline.

response_codeedit

  • Value can be any of: 200, 201, 202, 204
  • Default value is 200

The HTTP return code if the request is processed successfully.

Other return codes may happen in the case of an error condition, such as invalid credentials (401), internal errors (503) or backpressure (429).

If 204 (No Content) is set, the response body will not be sent in the response.

response_headersedit

  • Value type is hash
  • Default value is {"Content-Type"=>"text/plain"}

specify a custom set of response headers

remote_host_target_fieldedit

  • Value type is string
  • Default value is "host" when ECS is disabled
  • Default value is [host][ip] when ECS is enabled

specify a target field for the client host of the http request

request_headers_target_fieldedit

  • Value type is string
  • Default value is "headers" when ECS is disabled
  • Default value is [@metadata][http][header] when ECS is enabled

specify target field for the client host of the http request

ssledit

  • Value type is boolean
  • Default value is false

Events are by default sent in plain text. You can enable encryption by setting ssl to true and configuring the ssl_certificate and ssl_key options.

ssl_certificateedit

  • Value type is path
  • There is no default value for this setting.

SSL certificate to use.

ssl_certificate_authoritiesedit

  • Value type is array
  • Default value is []

Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store. You need to configure the ssl_verify_mode to peer or force_peer to enable the verification.

ssl_handshake_timeoutedit

  • Value type is number
  • Default value is 10000

Time in milliseconds for an incomplete ssl handshake to timeout

ssl_keyedit

  • Value type is path
  • There is no default value for this setting.

SSL key to use. NOTE: This key need to be in the PKCS8 format, you can convert it with OpenSSL for more information.

ssl_key_passphraseedit

  • Value type is password
  • There is no default value for this setting.

SSL key passphrase to use.

ssl_verify_modeedit

  • Value can be any of: none, peer, force_peer
  • Default value is "none"

By default the server doesn’t do any client verification.

peer will make the server ask the client to provide a certificate. If the client provides a certificate, it will be validated.

force_peer will make the server ask the client to provide a certificate. If the client doesn’t provide a certificate, the connection will be closed.

This option needs to be used with ssl_certificate_authorities and a defined list of CAs.

threadsedit

  • Value type is number
  • Default value is number of processors

Number of threads to use for both accepting connections and handling requests

tls_max_versionedit

  • Value type is number
  • Default value is 1.2

The maximum TLS version allowed for the encrypted connections. The value must be the one of the following: 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2

tls_min_versionedit

  • Value type is number
  • Default value is 1

The minimum TLS version allowed for the encrypted connections. The value must be one of the following: 1.0 for TLS 1.0, 1.1 for TLS 1.1, 1.2 for TLS 1.2

useredit

  • Value type is string
  • There is no default value for this setting.

Username for basic authorization

verify_modeedit

  • Value can be any of: none, peer, force_peer
  • Default value is "none"
  • This option is deprecated

Set the client certificate verification method. Valid methods: none, peer, force_peer

Note: This option is deprecated and it will be removed in the next major version of Logstash. Use ssl_verify_mode instead.

Common Optionsedit

The following configuration options are supported by all input plugins:

Setting Input type Required

add_field

hash

No

codec

codec

No

enable_metric

boolean

No

id

string

No

tags

array

No

type

string

No

Detailsedit

 

add_fieldedit

  • Value type is hash
  • Default value is {}

Add a field to an event

codecedit

  • Value type is codec
  • Default value is "plain"

The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.

enable_metricedit

  • Value type is boolean
  • Default value is true

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

idedit

  • Value type is string
  • There is no default value for this setting.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 http inputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

input {
  http {
    id => "my_plugin_id"
  }
}

Variable substitution in the id field only supports environment variables and does not support the use of values from the secret store.

tagsedit

  • Value type is array
  • There is no default value for this setting.

Add any number of arbitrary tags to your event.

This can help with processing later.

typeedit

  • Value type is string
  • There is no default value for this setting.

Add a type field to all events handled by this input.

Types are used mainly for filter activation.

The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.

If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.