HTTP filter plugin

edit
  • Plugin version: v1.4.1
  • Released on: 2022-05-04
  • Changelog

For other versions, see the Versioned plugin docs.

Getting Help

edit

For questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.

Description

edit

The HTTP filter provides integration with external web services/REST APIs.

Compatibility with the Elastic Common Schema (ECS)

edit

The plugin includes sensible defaults that change based on ECS compatibility mode. When targeting an ECS version, headers are set as @metadata and the target_body is a required option. See target_body, and target_headers.

HTTP Filter Configuration Options

edit

This plugin supports the following configuration options plus the Common Options described later.

Setting Input type Required

body

String, Array or Hash

No

body_format

string

No

ecs_compatibility

string

No

headers

hash

No

query

hash

No

target_body

string

No

target_headers

string

No

url

string

Yes

verb

string

No

There are also multiple configuration options related to the HTTP connectivity:

Also see Common Options for a list of options supported by all filter plugins.

 

body

edit

The body of the HTTP request to be sent.

body_format

edit
  • Value type can be either "json" or "text"
  • Default value is "text"

If set to "json" the body will be serialized as JSON. Otherwise it is sent as is.

ecs_compatibility

edit
  • Value type is string
  • Supported values are:

    • disabled: does not use ECS-compatible field names (for example, response headers target headers field by default)
    • v1, v8: avoids field names that might conflict with Elastic Common Schema (for example, headers are added as metadata)
  • Default value depends on which version of Logstash is running:

    • When Logstash provides a pipeline.ecs_compatibility setting, its value is used as the default
    • Otherwise, the default value is disabled.

Controls this plugin’s compatibility with the Elastic Common Schema (ECS). The value of this setting affects the default value of target_body and target_headers.

headers

edit
  • Value type is hash
  • There is no default value

The HTTP headers to be sent in the request. Both the names of the headers and their values can reference values from event fields.

query

edit
  • Value type is hash
  • There is no default value

Define the query string parameters (key-value pairs) to be sent in the HTTP request.

target_body

edit
  • Value type is hash
  • Default value depends on whether ecs_compatibility is enabled:

    • ECS Compatibility disabled: `"[body]"
    • ECS Compatibility enabled: no default value, needs to be specified explicitly

Define the target field for placing the body of the HTTP response.

target_headers

edit
  • Value type is hash
  • Default value depends on whether ecs_compatibility is enabled:

    • ECS Compatibility disabled: "[headers]"
    • ECS Compatibility enabled: "[@metadata][filter][http][response][headers]"

Define the target field for placing the headers of the HTTP response.

url

edit
  • Value type is string
  • There is no default value

The URL to send the request to. The value can be fetched from event fields.

verb

edit
  • Value type can be either "GET", "HEAD", "PATCH", "DELETE", "POST", "PUT"
  • Default value is "GET"

The verb to be used for the HTTP request.

HTTP Filter Connectivity Options

edit

automatic_retries

edit
  • Value type is number
  • Default value is 1

How many times should the client retry a failing URL. We highly recommend NOT setting this value to zero if keepalive is enabled. Some servers incorrectly end keepalives early requiring a retry! Note: if retry_non_idempotent is set only GET, HEAD, PUT, DELETE, OPTIONS, and TRACE requests will be retried.

cacert

edit
  • Value type is path
  • There is no default value for this setting.

If you need to use a custom X.509 CA (.pem certs) specify the path to that here

client_cert

edit
  • Value type is path
  • There is no default value for this setting.

If you’d like to use a client certificate (note, most people don’t want this) set the path to the x509 cert here

client_key

edit
  • Value type is path
  • There is no default value for this setting.

If you’re using a client certificate specify the path to the encryption key here

connect_timeout

edit
  • Value type is number
  • Default value is 10

Timeout (in seconds) to wait for a connection to be established. Default is 10s

cookies

edit
  • Value type is boolean
  • Default value is true

Enable cookie support. With this enabled the client will persist cookies across requests as a normal web browser would. Enabled by default

follow_redirects

edit
  • Value type is boolean
  • Default value is true

Should redirects be followed? Defaults to true

keepalive

edit
  • Value type is boolean
  • Default value is true

Turn this on to enable HTTP keepalive support. We highly recommend setting automatic_retries to at least one with this to fix interactions with broken keepalive implementations.

keystore

edit
  • Value type is path
  • There is no default value for this setting.

If you need to use a custom keystore (.jks) specify that here. This does not work with .pem keys!

keystore_password

edit
  • Value type is password
  • There is no default value for this setting.

Specify the keystore password here. Note, most .jks files created with keytool require a password!

keystore_type

edit
  • Value type is string
  • Default value is "JKS"

Specify the keystore type here. One of JKS or PKCS12. Default is JKS

password

edit
  • Value type is password
  • There is no default value for this setting.

Password to be used in conjunction with the username for HTTP authentication.

pool_max

edit
  • Value type is number
  • Default value is 50

Max number of concurrent connections. Defaults to 50

pool_max_per_route

edit
  • Value type is number
  • Default value is 25

Max number of concurrent connections to a single host. Defaults to 25

proxy

edit
  • Value type is string
  • There is no default value for this setting.

If you’d like to use an HTTP proxy . This supports multiple configuration syntaxes:

  1. Proxy host in form: http://proxy.org:1234
  2. Proxy host in form: {host => "proxy.org", port => 80, scheme => 'http', user => 'username@host', password => 'password'}
  3. Proxy host in form: {url => 'http://proxy.org:1234', user => 'username@host', password => 'password'}

request_timeout

edit
  • Value type is number
  • Default value is 60

Timeout (in seconds) for the entire request.

retry_non_idempotent

edit
  • Value type is boolean
  • Default value is false

If automatic_retries is enabled this will cause non-idempotent HTTP verbs (such as POST) to be retried.

socket_timeout

edit
  • Value type is number
  • Default value is 10

Timeout (in seconds) to wait for data on the socket. Default is 10s

ssl_supported_protocols

edit
  • Value type is string
  • Allowed values are: 'TLSv1.1', 'TLSv1.2', 'TLSv1.3'
  • Default depends on the JDK being used. With up-to-date Logstash, the default is ['TLSv1.2', 'TLSv1.3']. 'TLSv1.1' is not considered secure and is only provided for legacy applications.

List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.

For Java 8 'TLSv1.3' is supported only since 8u262 (AdoptOpenJDK), but requires that you set the LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.

If you configure the plugin to use 'TLSv1.1' on any recent JVM, such as the one packaged with Logstash, the protocol is disabled by default and needs to be enabled manually by changing jdk.tls.disabledAlgorithms in the $JDK_HOME/conf/security/java.security configuration file. That is, TLSv1.1 needs to be removed from the list.

ssl_verification_mode

edit
  • Value type is string
  • Supported values are: full, none
  • Default value is full

Controls the verification of server certificates. The full option verifies that the provided certificate is signed by a trusted authority (CA) and also that the server’s hostname (or IP address) matches the names identified within the certificate.

The none setting performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors. Using none in production environments is strongly discouraged.

truststore

edit
  • Value type is path
  • There is no default value for this setting.

If you need to use a custom truststore (.jks) specify that here. This does not work with .pem certs!

truststore_password

edit
  • Value type is password
  • There is no default value for this setting.

Specify the truststore password here. Note, most .jks files created with keytool require a password!

truststore_type

edit
  • Value type is string
  • Default value is "JKS"

Specify the truststore type here. One of JKS or PKCS12. Default is JKS

user

edit
  • Value type is string
  • There is no default value for this setting.

Username to use with HTTP authentication for ALL requests. Note that you can also set this per-URL. If you set this you must also set the password option.

validate_after_inactivity

edit
  • Value type is number
  • Default value is 200

How long to wait before checking for a stale connection to determine if a keepalive request is needed. Consider setting this value lower than the default, possibly to 0, if you get connection errors regularly.

This client is based on Apache Commons. Here’s how the Apache Commons documentation describes this option: "Defines period of inactivity in milliseconds after which persistent connections must be re-validated prior to being leased to the consumer. Non-positive value passed to this method disables connection validation. This check helps detect connections that have become stale (half-closed) while kept inactive in the pool."

Common Options

edit

The following configuration options are supported by all filter plugins:

add_field

edit
  • Value type is hash
  • Default value is {}

If this filter is successful, add any arbitrary fields to this event. Field names can be dynamic and include parts of the event using the %{field}.

Example:

    filter {
      http {
        add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }
      }
    }
    # You can also add multiple fields at once:
    filter {
      http {
        add_field => {
          "foo_%{somefield}" => "Hello world, from %{host}"
          "new_field" => "new_static_value"
        }
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add field foo_hello if it is present, with the value above and the %{host} piece replaced with that value from the event. The second example would also add a hardcoded field.

add_tag

edit
  • Value type is array
  • Default value is []

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      http {
        add_tag => [ "foo_%{somefield}" ]
      }
    }
    # You can also add multiple tags at once:
    filter {
      http {
        add_tag => [ "foo_%{somefield}", "taggedy_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would add a tag foo_hello (and the second example would of course add a taggedy_tag tag).

enable_metric

edit
  • Value type is boolean
  • Default value is true

Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

  • Value type is string
  • There is no default value for this setting.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 http filters. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

    filter {
      http {
        id => "ABC"
      }
    }

Variable substitution in the id field only supports environment variables and does not support the use of values from the secret store.

periodic_flush

edit
  • Value type is boolean
  • Default value is false

Call the filter flush method at regular interval. Optional.

remove_field

edit
  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:

    filter {
      http {
        remove_field => [ "foo_%{somefield}" ]
      }
    }
    # You can also remove multiple fields at once:
    filter {
      http {
        remove_field => [ "foo_%{somefield}", "my_extraneous_field" ]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the field with name foo_hello if it is present. The second example would remove an additional, non-dynamic field.

remove_tag

edit
  • Value type is array
  • Default value is []

If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the %{field} syntax.

Example:

    filter {
      http {
        remove_tag => [ "foo_%{somefield}" ]
      }
    }
    # You can also remove multiple tags at once:
    filter {
      http {
        remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]
      }
    }

If the event has field "somefield" == "hello" this filter, on success, would remove the tag foo_hello if it is present. The second example would remove a sad, unwanted tag as well.