• Plugin version: v4.1.0
• Released on: 2024-12-19
• Changelog

For other versions, see theVersioned plugin docs.

For questions about the plugin, open a topic in theDiscuss forums. For bugs or feature requests, open an issue inGithub. For the list of Elastic supported plugins, please consult theElastic Support Matrix.

Using this input you can receive single or multiline events over http(s). Applications can send an HTTP request to the endpoint started by this input and Logstash will convert it into an event for subsequent processing. Users can pass plain text, JSON, or any formatted data and use a corresponding codec with this input. For Content-Typeapplication/json thejson codec is used, but for all other data formats,plain codec is used.

This input can also be used to receive webhook requests to integrate with other services and applications. By taking advantage of the vast plugin ecosystem available in Logstash you can trigger actionable events right from your application.

In addition to decoding the events, this input will add HTTP headers containing connection information to each event. When ECS compatibility is disabled, the headers are stored in theheaders field, which has the potential to create confusion and schema conflicts downstream. When ECS is enabled, we can ensure a pipeline maintains access to this metadata throughout the event’s lifecycle without polluting the top-level namespace.

Here’s how ECS compatibility mode affects output.

The HTTP protocol doesn’t deal well with long running requests. This plugin will either return a 429 (busy) error when Logstash is backlogged, or it will time out the request.

If a 429 error is encountered clients should sleep, backing off exponentially with some random jitter, then retry their request.

This plugin will block if the Logstash queue is blocked and there are available HTTP input threads. This will cause most HTTP clients to time out. Sent events will still be processed in this case. This behavior is not optimal and will be changed in a future release. In the future, this plugin will always return a 429 if the queue is busy, and will not time out in the event of a busy queue.

This plugin supports standard HTTP basic authentication headers to identify the requester. You can pass in a username, password combination while sending data to this input

You can also setup SSL and send data securely over https, with multiple options such as validating the client’s certificate.

This plugin has two configuration options for codecs:codec andadditional_codecs.

Values inadditional_codecs are prioritized over those specified in thecodec option. That is, the defaultcodec is applied only if no codec for the request’s content-type is found in theadditional_codecs setting.

This plugin supports the following configuration options plus theCommon options described later.

Also seeCommon options for a list of options supported by all input plugins.

• Value type ishash
• Default value is{"application/json"=>"json"}

Apply specific codecs for specific content types. The default codec will be applied only after this list is checked and no codec for the request’s content-type is found

• Value type isstring

• Supported values are:

  • disabled: unstructured connection metadata added at root level
  • v1,v8: headers added under[@metadata][http][header]. Some are copied to structured ECS fieldshttp,url,user_agent andhost

Controls this plugin’s compatibility with theElastic Common Schema (ECS). SeeEvent Metadata and the Elastic Common Schema (ECS) for detailed information.

Sample output: ECS disabled

{    "@version" => "1",    "headers" => {           "request_path" => "/twitter/tweet/1",            "http_accept" => "*/*",           "http_version" => "HTTP/1.1",         "request_method" => "PUT",              "http_host" => "localhost:8080",        "http_user_agent" => "curl/7.64.1",         "content_length" => "5",           "content_type" => "application/x-www-form-urlencoded"    },    "@timestamp" => 2021-05-28T19:27:28.609Z,    "host" => "127.0.0.1",    "message" => "hello"}

Sample output: ECS enabled

{    "@version" => "1",    "user_agent" => {        "original" => "curl/7.64.1"    },    "http" => {        "method" => "PUT",        "request" => {            "mime_type" => "application/x-www-form-urlencoded",            "body" => {                "bytes" => "5"            }        },        "version" => "HTTP/1.1"    },    "url" => {          "port" => "8080",        "domain" => "snmp1",          "path" => "/twitter/tweet/1"    },    "@timestamp" => 2021-05-28T23:32:38.222Z,    "host" => {        "ip" => "127.0.0.1"    },    "message" => "hello",}

• Value type isstring
• Default value is"0.0.0.0"

The host or ip to bind

• Value type ispassword
• There is no default value for this setting.

Password for basic authorization

• Value type isnumber
• Default value is8080

The TCP port to bind to

• Value type isnumber
• Default value is 104857600

The max content of an HTTP request in bytes. It defaults to 100mb.

• Value type isnumber
• Default value is 200

Maximum number of incoming requests to store in a temporary queue before being processed by worker threads. If a request arrives and the queue is full a 429 response will be returned immediately. This queue exists to deal with micro bursts of events and to improve overall throughput, so it should be changed very carefully as it can lead to memory pressure and impact performance. If you need to deal both periodic or unforeseen spikes in incoming requests consider enabling the Persistent Queue for the logstash pipeline.

• Value can be any of: 200, 201, 202, 204
• Default value is200

The HTTP return code if the request is processed successfully.

Other return codes may happen in the case of an error condition, such as invalid credentials (401), internal errors (503) or backpressure (429).

If 204 (No Content) is set, the response body will not be sent in the response.

• Value type ishash
• Default value is{"Content-Type"=>"text/plain"}

specify a custom set of response headers

• Value type isstring
• Default value is"host" when ECS is disabled
• Default value is[host][ip] when ECS is enabled

specify a target field for the client host of the http request

• Value type isstring
• Default value is"headers" when ECS is disabled
• Default value is[@metadata][http][header] when ECS is enabled

specify target field for the client host of the http request

• Value type ispath
• There is no default value for this setting.

SSL certificate to use.

• Value type isarray
• Default value is[]

Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store. You need to configure thessl_client_authentication tooptional orrequired to enable the verification.

• Value type isarray
• Default value is['TLS_AES_256_GCM_SHA384', 'TLS_AES_128_GCM_SHA256', 'TLS_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384', 'TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384', 'TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256', 'TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256']

The list of cipher suites to use, listed by priorities. This default list applies for OpenJDK 11.0.14 and higher. For older JDK versions, the default list includes only suites supported by that version. For example, the ChaCha20 family of ciphers is not supported in older versions.

• Value can be any of:none,optional,required
• Default value is"none"

Controls the server’s behavior in regard to requesting a certificate from client connections:required forces a client to present a certificate, whileoptional requests a client certificate but the client is not required to present one. Defaults tonone, which disables the client authentication.

• Value type isboolean
• Default value isfalse

Events are, by default, sent in plain text. You can enable encryption by settingssl_enabled to true and configuring thessl_certificate andssl_key options.

• Value type isnumber
• Default value is10000

Time in milliseconds for an incomplete ssl handshake to timeout

• Value type ispath
• There is no default value for this setting.

SSL key to use. NOTE: This key need to be in the PKCS8 format, you can convert it withOpenSSL for more information.

• Value type ispassword
• There is no default value for this setting.

SSL key passphrase to use.

• Value type ispath
• There is no default value for this setting.

The path for the keystore file that contains a private key and certificate. It must be either a Java keystore (jks) or a PKCS#12 file.

• Value can be any of:jks,pkcs12
• If not provided, the value will be inferred from the keystore filename.

The format of the keystore file. It must be eitherjks orpkcs12.

• Value type ispassword
• There is no default value for this setting.

Set the JKS keystore password

• Value type isarray
• Allowed values are:'TLSv1.1','TLSv1.2','TLSv1.3'
• Default depends on the JDK being used. With up-to-date Logstash, the default is['TLSv1.2', 'TLSv1.3'].'TLSv1.1' is not considered secure and is only provided for legacy applications.

List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.

For Java 8'TLSv1.3' is supported only since8u262 (AdoptOpenJDK), but requires that you set theLS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.

• Value type ispassword
• There is no default value for this setting.

Set the truststore password

• Value type ispath
• There is no default value for this setting.

The path for the keystore that contains the certificates to trust. It must be either a Java keystore (jks) or a PKCS#12 file.

• Value can be any of:jks,pkcs12
• If not provided, the value will be inferred from the truststore filename.

The format of the truststore file. It must be eitherjks orpkcs12.

• Value type isnumber
• Default value is number of processors

Number of threads to use for both accepting connections and handling requests

• Value type isstring
• There is no default value for this setting.

Username for basic authorization

These configuration options are supported by all input plugins:

• Value type ishash
• Default value is{}

Add a field to an event

• Value type iscodec
• Default value is"plain"

The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.

• Value type isboolean
• Default value istrue

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

• Value type isstring
• There is no default value for this setting.

Add a uniqueID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 http inputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

input {  http {    id => "my_plugin_id"  }}

• Value type isarray
• There is no default value for this setting.

Add any number of arbitrary tags to your event.

This can help with processing later.

• Value type isstring
• There is no default value for this setting.

Add atype field to all events handled by this input.

Types are used mainly for filter activation.

The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.

If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.