• Plugin version: v2.0.0
• Released on: 2024-12-18
• Changelog

For other versions, see theVersioned plugin docs.

For questions about the plugin, open a topic in theDiscuss forums. For bugs or feature requests, open an issue inGithub. For the list of Elastic supported plugins, please consult theElastic Support Matrix.

The HTTP filter provides integration with external web services/REST APIs.

The plugin includes sensible defaults that change based onECS compatibility mode. When targeting an ECS version, headers are set as@metadata and thetarget_body is a required option. Seetarget_body, andtarget_headers.

This plugin supports the following configuration options plus theCommon options described later.

There are also multiple configuration options related to the HTTP connectivity:

Also seeCommon options for a list of options supported by all filter plugins.

• Value type can be astring,number,array orhash
• There is no default value

The body of the HTTP request to be sent.

An example to sendbody as json

http {  body => {    "key1" => "constant_value"    "key2" => "%{[field][reference]}"  }  body_format => "json"}

• Value type can be either"json" or"text"
• Default value is"text"

If set to"json" and thebody is a type ofarray orhash, the body will be serialized as JSON. Otherwise it is sent as is.

• Value type isstring

• Supported values are:

  • disabled: does not use ECS-compatible field names (for example, response headers targetheaders field by default)
  • v1,v8: avoids field names that might conflict with Elastic Common Schema (for example, headers are added as metadata)

• Default value depends on which version of Logstash is running:

  • When Logstash provides apipeline.ecs_compatibility setting, its value is used as the default
  • Otherwise, the default value isdisabled.

Controls this plugin’s compatibility with theElastic Common Schema (ECS). The value of this setting affects thedefault value oftarget_body andtarget_headers.

• Value type ishash
• There is no default value

The HTTP headers to be sent in the request. Both the names of the headers and their values can reference values from event fields.

• Value type ishash
• There is no default value

Define the query string parameters (key-value pairs) to be sent in the HTTP request.

• Value type ishash

• Default value depends on whetherecs_compatibility is enabled:

  • ECS Compatibility disabled: `"[body]"
  • ECS Compatibility enabled: no default value, needs to be specified explicitly

Define the target field for placing the body of the HTTP response.

• Value type ishash

• Default value depends on whetherecs_compatibility is enabled:

  • ECS Compatibility disabled:"[headers]"
  • ECS Compatibility enabled:"[@metadata][filter][http][response][headers]"

Define the target field for placing the headers of the HTTP response.

• Value type isstring
• There is no default value

The URL to send the request to. The value can be fetched from event fields.

• Value type can be either"GET","HEAD","PATCH","DELETE","POST","PUT"
• Default value is"GET"

The verb to be used for the HTTP request.

• Value type isnumber
• Default value is1

How many times should the client retry a failing URL. We highly recommend NOT setting this value to zero if keepalive is enabled. Some servers incorrectly end keepalives early requiring a retry! Note: ifretry_non_idempotent is set only GET, HEAD, PUT, DELETE, OPTIONS, and TRACE requests will be retried.

• Value type isnumber
• Default value is10

Timeout (in seconds) to wait for a connection to be established. Default is10s

• Value type isboolean
• Default value istrue

Enable cookie support. With this enabled the client will persist cookies across requests as a normal web browser would. Enabled by default

• Value type isboolean
• Default value istrue

Should redirects be followed? Defaults totrue

• Value type isboolean
• Default value istrue

Turn this on to enable HTTP keepalive support. We highly recommend settingautomatic_retries to at least one with this to fix interactions with broken keepalive implementations.

• Value type ispassword
• There is no default value for this setting.

Password to be used in conjunction with the username for HTTP authentication.

• Value type isnumber
• Default value is50

Max number of concurrent connections. Defaults to50

• Value type isnumber
• Default value is25

Max number of concurrent connections to a single host. Defaults to25

• Value type isstring
• There is no default value for this setting.

If you’d like to use an HTTP proxy . This supports multiple configuration syntaxes:

1. Proxy host in form:http://proxy.org:1234
2. Proxy host in form:{host => "proxy.org", port => 80, scheme => 'http', user => 'username@host', password => 'password'}
3. Proxy host in form:{url => 'http://proxy.org:1234', user => 'username@host', password => 'password'}

• Value type isnumber
• Default value is60

Timeout (in seconds) for the entire request.

• Value type isboolean
• Default value isfalse

Ifautomatic_retries is enabled this will cause non-idempotent HTTP verbs (such as POST) to be retried.

• Value type isnumber
• Default value is10

Timeout (in seconds) to wait for data on the socket. Default is10s

• Value type ispath
• There is no default value for this setting.

SSL certificate to use to authenticate the client. This certificate should be an OpenSSL-style X.509 certificate file.

• Value type is a list ofpath
• There is no default value for this setting

The .cer or .pem CA files to validate the server’s certificate.

• Value type is a list ofstring
• There is no default value for this setting

The list of cipher suites to use, listed by priorities. Supported cipher suites vary depending on the Java and protocol versions.

• Value type isboolean
• Default value istrue

Enable SSL/TLS secured communication. It must betrue for otherssl_ options to take effect.

• Value type ispath
• There is no default value for this setting.

OpenSSL-style RSA private key that corresponds to thessl_certificate.

• Value type ispassword
• There is no default value for this setting.

Set the keystore password

• Value type ispath
• There is no default value for this setting.

The keystore used to present a certificate to the server. It can be either.jks or.p12

• Value can be any of:jks,pkcs12
• If not provided, the value will be inferred from the keystore filename.

The format of the keystore file. It must be eitherjks orpkcs12.

• Value type isstring
• Allowed values are:'TLSv1.1','TLSv1.2','TLSv1.3'
• Default depends on the JDK being used. With up-to-date Logstash, the default is['TLSv1.2', 'TLSv1.3'].'TLSv1.1' is not considered secure and is only provided for legacy applications.

List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.

For Java 8'TLSv1.3' is supported only since8u262 (AdoptOpenJDK), but requires that you set theLS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.

• Value type ispassword
• There is no default value for this setting.

Set the truststore password

• Value type ispath
• There is no default value for this setting.

The truststore to validate the server’s certificate. It can be either.jks or.p12.

• Value can be any of:jks,pkcs12
• If not provided, the value will be inferred from the truststore filename.

The format of the truststore file. It must be eitherjks orpkcs12.

• Value type isstring
• Supported values are:full,none
• Default value isfull

Controls the verification of server certificates. Thefull option verifies that the provided certificate is signed by a trusted authority (CA) and also that the server’s hostname (or IP address) matches the names identified within the certificate.

Thenone setting performs no verification of the server’s certificate. This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration. It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors. Usingnone in production environments is strongly discouraged.

• Value type isstring
• There is no default value for this setting.

Username to use with HTTP authentication for ALL requests. Note that you can also set this per-URL. If you set this you must also set thepassword option.

• Value type isnumber
• Default value is200

How long to wait before checking for a stale connection to determine if a keepalive request is needed. Consider setting this value lower than the default, possibly to 0, if you get connection errors regularly.

This client is based on Apache Commons. Here’s how theApache Commons documentation describes this option: "Defines period of inactivity in milliseconds after which persistent connections must be re-validated prior to being leased to the consumer. Non-positive value passed to this method disables connection validation. This check helps detect connections that have become stale (half-closed) while kept inactive in the pool."

These configuration options are supported by all filter plugins:

• Value type ishash
• Default value is{}

If this filter is successful, add any arbitrary fields to this event. Field names can be dynamic and include parts of the event using the%{{field}}.

Example:

filter {  http {    add_field => { "foo_%{somefield}" => "Hello world, from %{host}" }  }}

# You can also add multiple fields at once:filter {  http {    add_field => {      "foo_%{somefield}" => "Hello world, from %{host}"      "new_field" => "new_static_value"    }  }}

If the event has field"somefield" == "hello" this filter, on success, would add fieldfoo_hello if it is present, with the value above and the%{{host}} piece replaced with that value from the event. The second example would also add a hardcoded field.

• Value type isarray
• Default value is[]

If this filter is successful, add arbitrary tags to the event. Tags can be dynamic and include parts of the event using the%{{field}} syntax.

Example:

filter {  http {    add_tag => [ "foo_%{somefield}" ]  }}

# You can also add multiple tags at once:filter {  http {    add_tag => [ "foo_%{somefield}", "taggedy_tag"]  }}

If the event has field"somefield" == "hello" this filter, on success, would add a tagfoo_hello (and the second example would of course add ataggedy_tag tag).

• Value type isboolean
• Default value istrue

Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

• Value type isstring
• There is no default value for this setting.

Add a uniqueID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 http filters. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

filter {  http {    id => "ABC"  }}

• Value type isboolean
• Default value isfalse

Call the filter flush method at regular interval. Optional.

• Value type isarray
• Default value is[]

If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the%{{field}} Example:

filter {  http {    remove_field => [ "foo_%{somefield}" ]  }}

# You can also remove multiple fields at once:filter {  http {    remove_field => [ "foo_%{somefield}", "my_extraneous_field" ]  }}

If the event has field"somefield" == "hello" this filter, on success, would remove the field with namefoo_hello if it is present. The second example would remove an additional, non-dynamic field.

• Value type isarray
• Default value is[]

If this filter is successful, remove arbitrary tags from the event. Tags can be dynamic and include parts of the event using the%{{field}} syntax.

Example:

filter {  http {    remove_tag => [ "foo_%{somefield}" ]  }}

# You can also remove multiple tags at once:filter {  http {    remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"]  }}

If the event has field"somefield" == "hello" this filter, on success, would remove the tagfoo_hello if it is present. The second example would remove a sad, unwanted tag as well.