Using this input you can receive single or multiline events over http(s).
Applications can send an HTTP request to the endpoint started by this input and
Logstash will convert it into an event for subsequent processing. Users
can pass plain text, JSON, or any formatted data and use a corresponding codec with this
input. For content-type application/json the json codec is used, but for all other
data formats, plain codec is used.
This input can also be used to receive webhook requests to integrate with other services and applications. By taking advantage of the vast plugin ecosystem available in Logstash you can trigger actionable events right from your application.
In addition to decoding the events, this input will add HTTP headers containing connection information to each event.
When ECS compatibility is disabled, the headers are stored in the headers field, which has the potential to create confusion and schema conflicts downstream.
When ECS is enabled, we can ensure a pipeline maintains access to this metadata throughout the event’s lifecycle without polluting the top-level namespace.
Here’s how ECS compatibility mode affects output.
ECS disabled |
ECS v1,v8 |
Availability | Description |
|---|---|---|---|
[host] |
[host][ip] |
Always |
Host IP address |
[headers] |
[@metadata][input][http][request][headers] |
Always |
Complete HTTP headers |
[headers][http_version] |
[http][version] |
Always |
HTTP version |
[headers][http_user_agent] |
[user_agent][original] |
Always |
client user agent |
[headers][http_host] |
[url][domain] and [url][port] |
Always |
host domain and port |
[headers][request_method] |
[http][method] |
Always |
HTTP method |
[headers][request_path] |
[url][path] |
Always |
Query path |
[headers][content_length] |
[http][request][body][bytes] |
Always |
Request content length |
[headers][content_type] |
[http][request][mime_type] |
Always |
Request mime type |
The HTTP protocol doesn’t deal well with long running requests. This plugin will either return a 429 (busy) error when Logstash is backlogged, or it will time out the request.
If a 429 error is encountered clients should sleep, backing off exponentially with some random jitter, then retry their request.
This plugin will block if the Logstash queue is blocked and there are available HTTP input threads. This will cause most HTTP clients to time out. Sent events will still be processed in this case. This behavior is not optimal and will be changed in a future release. In the future, this plugin will always return a 429 if the queue is busy, and will not time out in the event of a busy queue.
This plugin supports standard HTTP basic authentication headers to identify the requester. You can pass in a username, password combination while sending data to this input
You can also setup SSL and send data securely over https, with multiple options such as validating the client’s certificate.
This plugin has two configuration options for codecs: codec and additional_codecs.
Values in additional_codecs are prioritized over those specified in the
codec option. That is, the default codec is applied only if no codec
for the request’s content-type is found in the additional_codecs setting.
This plugin supports the following configuration options plus the [plugins-inputs-http-common-options] described later.
| Setting | Input type | Required |
|---|---|---|
No |
||
Deprecated |
||
No |
||
No |
||
Deprecated |
||
Deprecated |
||
No |
||
No |
||
No |
||
No |
||
number, one of |
No |
|
No |
||
No |
||
a valid filesystem path |
No |
|
No |
||
No |
||
No |
||
a valid filesystem path |
No |
|
No |
||
No |
||
string, one of |
No |
|
No |
||
Deprecated |
||
Deprecated |
||
No |
||
string, one of |
Deprecated |
Also see [plugins-inputs-http-common-options] for a list of options supported by all input plugins.
-
Value type is hash
-
Default value is
{"application/json"⇒"json"}
Apply specific codecs for specific content types. The default codec will be applied only after this list is checked and no codec for the request’s content-type is found
deprecated[3.6.0, Replaced by ssl_cipher_suites]
-
Value type is array
The list of cipher suites to use, listed by priorities.
-
Value type is string
-
Supported values are:
-
disabled: unstructured connection metadata added at root level -
v1,v8: headers added under[@metadata][http][header]. Some are copied to structured ECS fieldshttp,url,user_agentandhost
-
Controls this plugin’s compatibility with the {ecs-ref}[Elastic Common Schema (ECS)]. See Event Metadata and the Elastic Common Schema (ECS) for detailed information.
Sample output: ECS disabled
{
"@version" => "1",
"headers" => {
"request_path" => "/twitter/tweet/1",
"http_accept" => "*/*",
"http_version" => "HTTP/1.1",
"request_method" => "PUT",
"http_host" => "localhost:8080",
"http_user_agent" => "curl/7.64.1",
"content_length" => "5",
"content_type" => "application/x-www-form-urlencoded"
},
"@timestamp" => 2021-05-28T19:27:28.609Z,
"host" => "127.0.0.1",
"message" => "hello"
}Sample output: ECS enabled
{
"@version" => "1",
"user_agent" => {
"original" => "curl/7.64.1"
},
"http" => {
"method" => "PUT",
"request" => {
"mime_type" => "application/x-www-form-urlencoded",
"body" => {
"bytes" => "5"
}
},
"version" => "HTTP/1.1"
},
"url" => {
"port" => "8080",
"domain" => "snmp1",
"path" => "/twitter/tweet/1"
},
"@timestamp" => 2021-05-28T23:32:38.222Z,
"host" => {
"ip" => "127.0.0.1"
},
"message" => "hello",
}deprecated[3.1.0, Use ssl_certificate and ssl_key instead]
-
Value type is path
-
There is no default value for this setting.
The JKS keystore to validate the client’s certificates
deprecated[3.1.0, Use ssl_certificate and ssl_key instead]
-
Value type is password
-
There is no default value for this setting.
Set the truststore password
-
Value type is password
-
There is no default value for this setting.
Password for basic authorization
-
Value type is number
-
Default value is 104857600
The max content of an HTTP request in bytes. It defaults to 100mb.
-
Value type is number
-
Default value is 200
Maximum number of incoming requests to store in a temporary queue before being processed by worker threads. If a request arrives and the queue is full a 429 response will be returned immediately. This queue exists to deal with micro bursts of events and to improve overall throughput, so it should be changed very carefully as it can lead to memory pressure and impact performance. If you need to deal both periodic or unforeseen spikes in incoming requests consider enabling the Persistent Queue for the logstash pipeline.
-
Value can be any of: 200, 201, 202, 204
-
Default value is
200
The HTTP return code if the request is processed successfully.
Other return codes may happen in the case of an error condition, such as invalid credentials (401), internal errors (503) or backpressure (429).
If 204 (No Content) is set, the response body will not be sent in the response.
-
Value type is string
-
Default value is
ok
The text body of the response returned to clients on successful POSTs.
The default ok can be overriden with any string content such as JSON.
If 204 (No Content) is set, the response_body option is ignored.
-
Value type is hash
-
Default value is
{"content-type"⇒"text/plain"}
specify a custom set of response headers
-
Value type is string
-
Default value is
"host"when ECS is disabled -
Default value is
[host][ip]when ECS is enabled
specify a target field for the client host of the http request
-
Value type is string
-
Default value is
"headers"when ECS is disabled -
Default value is
[@metadata][http][header]when ECS is enabled
specify target field for the client host of the http request
-
Value type is boolean
-
Default value is
false
Events are by default sent in plain text. You can
enable encryption by setting ssl to true and configuring
the ssl_certificate and ssl_key options.
-
Value type is path
-
There is no default value for this setting.
SSL certificate to use.
-
Value type is array
-
Default value is
[]
Validate client certificates against these authorities.
You can define multiple files or paths. All the certificates will
be read and added to the trust store. You need to configure the ssl_verify_mode
to peer or force_peer to enable the verification.
-
Value type is array
-
Default value is
['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']
The list of cipher suites to use, listed by priorities. This default list applies for OpenJDK 11.0.14 and higher. For older JDK versions, the default list includes only suites supported by that version. For example, the ChaCha20 family of ciphers is not supported in older versions.
-
Value type is number
-
Default value is
10000
Time in milliseconds for an incomplete ssl handshake to timeout
-
Value type is path
-
There is no default value for this setting.
SSL key to use. NOTE: This key need to be in the PKCS8 format, you can convert it with OpenSSL for more information.
-
Value type is password
-
There is no default value for this setting.
SSL key passphrase to use.
-
Value type is array
-
Allowed values are:
'TLSv1.1','TLSv1.2','TLSv1.3' -
Default depends on the JDK being used. With up-to-date Logstash, the default is
['TLSv1.2', 'TLSv1.3'].'TLSv1.1'is not considered secure and is only provided for legacy applications.
List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
For Java 8 'TLSv1.3' is supported only since 8u262 (AdoptOpenJDK), but requires that you set the
LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.
|
Note
|
If you configure the plugin to use 'TLSv1.1' on any recent JVM, such as the one packaged with Logstash,
the protocol is disabled by default and needs to be enabled manually by changing jdk.tls.disabledAlgorithms in
the $JDK_HOME/conf/security/java.security configuration file. That is, TLSv1.1 needs to be removed from the list.
|
-
Value can be any of:
none,peer,force_peer -
Default value is
"none"
By default the server doesn’t do any client verification.
peer will make the server ask the client to provide a certificate.
If the client provides a certificate, it will be validated.
force_peer will make the server ask the client to provide a certificate.
If the client doesn’t provide a certificate, the connection will be closed.
This option needs to be used with ssl_certificate_authorities and a defined list of CAs.
-
Value type is number
-
Default value is number of processors
Number of threads to use for both accepting connections and handling requests
deprecated[3.6.0]
-
Value type is number
The maximum TLS version allowed for the encrypted connections. The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
deprecated[3.6.0]
-
Value type is number
The minimum TLS version allowed for the encrypted connections. The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3
-
Value type is string
-
There is no default value for this setting.
Username for basic authorization
deprecated[3.6.0, Replaced by ssl_verify_mode]
-
Value can be any of:
none,peer,force_peer -
Default value is
"none"
Set the client certificate verification method. Valid methods: none, peer, force_peer