Http input plugin

Apply specific codecs for specific content types. The default codec will be applied only after this list is checked and no codec for the request’s content-type is found

The list of cipher suites to use, listed by priorities.

Controls this plugin’s compatibility with the Elastic Common Schema (ECS). See Event Metadata and the Elastic Common Schema (ECS) for detailed information.

Sample output: ECS disabled

{
    "@version" => "1",
    "headers" => {
           "request_path" => "/twitter/tweet/1",
            "http_accept" => "*/*",
           "http_version" => "HTTP/1.1",
         "request_method" => "PUT",
              "http_host" => "localhost:8080",
        "http_user_agent" => "curl/7.64.1",
         "content_length" => "5",
           "content_type" => "application/x-www-form-urlencoded"
    },
    "@timestamp" => 2021-05-28T19:27:28.609Z,
    "host" => "127.0.0.1",
    "message" => "hello"
}

Sample output: ECS enabled

{
    "@version" => "1",
    "user_agent" => {
        "original" => "curl/7.64.1"
    },
    "http" => {
        "method" => "PUT",
        "request" => {
            "mime_type" => "application/x-www-form-urlencoded",
            "body" => {
                "bytes" => "5"
            }
        },
        "version" => "HTTP/1.1"
    },
    "url" => {
          "port" => "8080",
        "domain" => "snmp1",
          "path" => "/twitter/tweet/1"
    },
    "@timestamp" => 2021-05-28T23:32:38.222Z,
    "host" => {
        "ip" => "127.0.0.1"
    },
    "message" => "hello",
}

The host or ip to bind

The JKS keystore to validate the client’s certificates

Set the keystore password

Password for basic authorization

The TCP port to bind to

The max content of an HTTP request in bytes. It defaults to 100mb.

Maximum number of incoming requests to store in a temporary queue before being processed by worker threads. If a request arrives and the queue is full a 429 response will be returned immediately. This queue exists to deal with micro bursts of events and to improve overall throughput, so it should be changed very carefully as it can lead to memory pressure and impact performance. If you need to deal both periodic or unforeseen spikes in incoming requests consider enabling the Persistent Queue for the logstash pipeline.

The HTTP return code if the request is processed successfully.

Other return codes may happen in the case of an error condition, such as invalid credentials (401), internal errors (503) or backpressure (429).

If 204 (No Content) is set, the response body will not be sent in the response.

specify a custom set of response headers

specify a target field for the client host of the http request

specify target field for the client host of the http request

Events are, by default, sent in plain text. You can enable encryption by setting ssl to true and configuring the ssl_certificate and ssl_key options.

SSL certificate to use.

Validate client certificates against these authorities. You can define multiple files or paths. All the certificates will be read and added to the trust store. You need to configure the ssl_client_authentication to optional or required to enable the verification.

The list of cipher suites to use, listed by priorities. This default list applies for OpenJDK 11.0.14 and higher. For older JDK versions, the default list includes only suites supported by that version. For example, the ChaCha20 family of ciphers is not supported in older versions.

Controls the server’s behavior in regard to requesting a certificate from client connections: required forces a client to present a certificate, while optional requests a client certificate but the client is not required to present one. Defaults to none, which disables the client authentication.

Events are, by default, sent in plain text. You can enable encryption by setting ssl_enabled to true and configuring the ssl_certificate and ssl_key options.

Time in milliseconds for an incomplete ssl handshake to timeout

SSL key to use. NOTE: This key need to be in the PKCS8 format, you can convert it with OpenSSL for more information.

SSL key passphrase to use.

The JKS keystore to validate the client’s certificates

Set the JKS keystore password

List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.

For Java 8 'TLSv1.3' is supported only since 8u262 (AdoptOpenJDK), but requires that you set the LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3" system property in Logstash.

By default the server doesn’t do any client verification.

peer will make the server ask the client to provide a certificate. If the client provides a certificate, it will be validated.

force_peer will make the server ask the client to provide a certificate. If the client doesn’t provide a certificate, the connection will be closed.

This option needs to be used with ssl_certificate_authorities and a defined list of CAs.

Number of threads to use for both accepting connections and handling requests

The maximum TLS version allowed for the encrypted connections. The value must be the one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3

The minimum TLS version allowed for the encrypted connections. The value must be one of the following: 1.1 for TLS 1.1, 1.2 for TLS 1.2, 1.3 for TLSv1.3

Username for basic authorization

Set the client certificate verification method. Valid methods: none, peer, force_peer

Add a field to an event

The codec used for input data. Input codecs are a convenient method for decoding your data before it enters the input, without needing a separate filter in your Logstash pipeline.

Disable or enable metric logging for this specific plugin instance by default we record all the metrics we can, but you can disable metrics collection for a specific plugin.

Add a unique ID to the plugin configuration. If no ID is specified, Logstash will generate one. It is strongly recommended to set this ID in your configuration. This is particularly useful when you have two or more plugins of the same type, for example, if you have 2 http inputs. Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.

input {
  http {
    id => "my_plugin_id"
  }
}

Add any number of arbitrary tags to your event.

This can help with processing later.

Add a type field to all events handled by this input.

Types are used mainly for filter activation.

The type is stored as part of the event itself, so you can also use the type to search for it in Kibana.

If you try to set a type on an event that already has one (for example when you send an event from a shipper to an indexer) then a new input will not override the existing type. A type set at the shipper stays with that event for its life even when sent to another Logstash server.