- Logstash Reference: other versions:
- Logstash Introduction
- Getting Started with Logstash
- How Logstash Works
- Setting Up and Running Logstash
- Logstash Directory Layout
- Logstash Configuration Files
- logstash.yml
- Secrets keystore for secure settings
- Running Logstash from the Command Line
- Running Logstash as a Service on Debian or RPM
- Running Logstash on Docker
- Configuring Logstash for Docker
- Running Logstash on Kubernetes
- Running Logstash on Windows
- Logging
- Shutting Down Logstash
- Upgrading Logstash
- Creating a Logstash pipeline
- Secure your connection
- Advanced Logstash Configurations
- Logstash-to-Logstash communication
- Managing Logstash
- Using Logstash with Elastic Integrations
- Working with Logstash Modules
- Working with Filebeat Modules
- Working with Winlogbeat Modules
- Queues and data resiliency
- Transforming Data
- Deploying and Scaling Logstash
- Managing GeoIP Databases
- Performance tuning
- Monitoring Logstash with Elastic Agent
- Monitoring Logstash (legacy)
- Monitoring Logstash with APIs
- Working with plugins
- Integration plugins
- Input plugins
- azure_event_hubs
- beats
- cloudwatch
- couchdb_changes
- dead_letter_queue
- elastic_agent
- elastic_serverless_forwarder
- elasticsearch
- exec
- file
- ganglia
- gelf
- generator
- github
- google_cloud_storage
- google_pubsub
- graphite
- heartbeat
- http
- http_poller
- imap
- irc
- java_generator
- java_stdin
- jdbc
- jms
- jmx
- kafka
- kinesis
- logstash
- log4j
- lumberjack
- meetup
- pipe
- puppet_facter
- rabbitmq
- redis
- relp
- rss
- s3
- s3-sns-sqs
- salesforce
- snmp
- snmptrap
- sqlite
- sqs
- stdin
- stomp
- syslog
- tcp
- udp
- unix
- varnishlog
- websocket
- wmi
- xmpp
- Output plugins
- boundary
- circonus
- cloudwatch
- csv
- datadog
- datadog_metrics
- dynatrace
- elastic_app_search
- elastic_workplace_search
- elasticsearch
- exec
- file
- ganglia
- gelf
- google_bigquery
- google_cloud_storage
- google_pubsub
- graphite
- graphtastic
- http
- influxdb
- irc
- java_stdout
- juggernaut
- kafka
- librato
- logstash
- loggly
- lumberjack
- metriccatcher
- mongodb
- nagios
- nagios_nsca
- opentsdb
- pagerduty
- pipe
- rabbitmq
- redis
- redmine
- riak
- riemann
- s3
- sink
- sns
- solr_http
- sqs
- statsd
- stdout
- stomp
- syslog
- tcp
- timber
- udp
- webhdfs
- websocket
- xmpp
- zabbix
- Filter plugins
- age
- aggregate
- alter
- bytes
- cidr
- cipher
- clone
- csv
- date
- de_dot
- dissect
- dns
- drop
- elapsed
- elastic_integration
- elasticsearch
- environment
- extractnumbers
- fingerprint
- geoip
- grok
- http
- i18n
- java_uuid
- jdbc_static
- jdbc_streaming
- json
- json_encode
- kv
- memcached
- metricize
- metrics
- mutate
- prune
- range
- ruby
- sleep
- split
- syslog_pri
- threats_classifier
- throttle
- tld
- translate
- truncate
- urldecode
- useragent
- uuid
- wurfl_device_detection
- xml
- Codec plugins
- Tips and best practices
- Troubleshooting
- Contributing to Logstash
- How to write a Logstash input plugin
- How to write a Logstash codec plugin
- How to write a Logstash filter plugin
- How to write a Logstash output plugin
- Logstash Plugins Community Maintainer Guide
- Document your plugin
- Publish your plugin to RubyGems.org
- List your plugin
- Contributing a patch to a Logstash plugin
- Extending Logstash core
- Contributing a Java Plugin
- Breaking changes
- Release Notes
- Logstash 8.17.1 Release Notes
- Logstash 8.17.0 Release Notes
- Logstash 8.16.2 Release Notes
- Logstash 8.16.1 Release Notes
- Logstash 8.16.0 Release Notes
- Logstash 8.15.5 Release Notes
- Logstash 8.15.4 Release Notes
- Logstash 8.15.3 Release Notes
- Logstash 8.15.2 Release Notes
- Logstash 8.15.1 Release Notes
- Logstash 8.15.0 Release Notes
- Logstash 8.14.3 Release Notes
- Logstash 8.14.2 Release Notes
- Logstash 8.14.1 Release Notes
- Logstash 8.14.0 Release Notes
- Logstash 8.13.4 Release Notes
- Logstash 8.13.3 Release Notes
- Logstash 8.13.2 Release Notes
- Logstash 8.13.1 Release Notes
- Logstash 8.13.0 Release Notes
- Logstash 8.12.2 Release Notes
- Logstash 8.12.1 Release Notes
- Logstash 8.12.0 Release Notes
- Logstash 8.11.4 Release Notes
- Logstash 8.11.3 Release Notes
- Logstash 8.11.2 Release Notes
- Logstash 8.11.1 Release Notes
- Logstash 8.11.0 Release Notes
- Logstash 8.10.4 Release Notes
- Logstash 8.10.3 Release Notes
- Logstash 8.10.2 Release Notes
- Logstash 8.10.1 Release Notes
- Logstash 8.10.0 Release Notes
- Logstash 8.9.2 Release Notes
- Logstash 8.9.1 Release Notes
- Logstash 8.9.0 Release Notes
- Logstash 8.8.2 Release Notes
- Logstash 8.8.1 Release Notes
- Logstash 8.8.0 Release Notes
- Logstash 8.7.1 Release Notes
- Logstash 8.7.0 Release Notes
- Logstash 8.6.2 Release Notes
- Logstash 8.6.1 Release Notes
- Logstash 8.6.0 Release Notes
- Logstash 8.5.3 Release Notes
- Logstash 8.5.2 Release Notes
- Logstash 8.5.1 Release Notes
- Logstash 8.5.0 Release Notes
- Logstash 8.4.2 Release Notes
- Logstash 8.4.1 Release Notes
- Logstash 8.4.0 Release Notes
- Logstash 8.3.3 Release Notes
- Logstash 8.3.2 Release Notes
- Logstash 8.3.1 Release Notes
- Logstash 8.3.0 Release Notes
- Logstash 8.2.3 Release Notes
- Logstash 8.2.2 Release Notes
- Logstash 8.2.1 Release Notes
- Logstash 8.2.0 Release Notes
- Logstash 8.1.3 Release Notes
- Logstash 8.1.2 Release Notes
- Logstash 8.1.1 Release Notes
- Logstash 8.1.0 Release Notes
- Logstash 8.0.1 Release Notes
- Logstash 8.0.0 Release Notes
- Logstash 8.0.0-rc2 Release Notes
- Logstash 8.0.0-rc1 Release Notes
- Logstash 8.0.0-beta1 Release Notes
- Logstash 8.0.0-alpha2 Release Notes
- Logstash 8.0.0-alpha1 Release Notes
HTTP filter plugin
editHTTP filter plugin
edit- Plugin version: v1.6.0
- Released on: 2024-06-19
- Changelog
For other versions, see the Versioned plugin docs.
Getting help
editFor questions about the plugin, open a topic in the Discuss forums. For bugs or feature requests, open an issue in Github. For the list of Elastic supported plugins, please consult the Elastic Support Matrix.
Description
editThe HTTP filter provides integration with external web services/REST APIs.
Compatibility with the Elastic Common Schema (ECS)
editThe plugin includes sensible defaults that change based on ECS compatibility mode.
When targeting an ECS version, headers are set as @metadata
and the target_body
is a required option.
See target_body
, and target_headers
.
HTTP Filter Configuration Options
editThis plugin supports the following configuration options plus the Common options described later.
Setting | Input type | Required |
---|---|---|
String, Array or Hash |
No |
|
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
Yes |
||
No |
There are also multiple configuration options related to the HTTP connectivity:
Setting | Input type | Required |
---|---|---|
No |
||
a valid filesystem path |
Deprecated |
|
a valid filesystem path |
Deprecated |
|
a valid filesystem path |
Deprecated |
|
No |
||
No |
||
No |
||
No |
||
a valid filesystem path |
Deprecated |
|
Deprecated |
||
Deprecated |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
list of path |
No |
|
list of string |
No |
|
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
string, one of |
No |
|
a valid filesystem path |
Deprecated |
|
Deprecated |
||
Deprecated |
||
no |
||
No |
Also see Common options for a list of options supported by all filter plugins.
body
editThe body of the HTTP request to be sent.
An example to send body
as json
http { body => { "key1" => "constant_value" "key2" => "%{[field][reference]}" } body_format => "json" }
body_format
edit-
Value type can be either
"json"
or"text"
-
Default value is
"text"
If set to "json"
and the body
is a type of array or hash, the body will be serialized as JSON. Otherwise it is sent as is.
ecs_compatibility
edit- Value type is string
-
Supported values are:
-
disabled
: does not use ECS-compatible field names (for example, response headers targetheaders
field by default) -
v1
,v8
: avoids field names that might conflict with Elastic Common Schema (for example, headers are added as metadata)
-
-
Default value depends on which version of Logstash is running:
-
When Logstash provides a
pipeline.ecs_compatibility
setting, its value is used as the default -
Otherwise, the default value is
disabled
.
-
When Logstash provides a
Controls this plugin’s compatibility with the Elastic Common Schema (ECS).
The value of this setting affects the default value of target_body
and
target_headers
.
headers
edit- Value type is hash
- There is no default value
The HTTP headers to be sent in the request. Both the names of the headers and their values can reference values from event fields.
query
edit- Value type is hash
- There is no default value
Define the query string parameters (key-value pairs) to be sent in the HTTP request.
target_body
edit- Value type is hash
-
Default value depends on whether
ecs_compatibility
is enabled:- ECS Compatibility disabled: `"[body]"
- ECS Compatibility enabled: no default value, needs to be specified explicitly
Define the target field for placing the body of the HTTP response.
target_headers
edit- Value type is hash
-
Default value depends on whether
ecs_compatibility
is enabled:-
ECS Compatibility disabled:
"[headers]"
-
ECS Compatibility enabled:
"[@metadata][filter][http][response][headers]"
-
ECS Compatibility disabled:
Define the target field for placing the headers of the HTTP response.
url
edit- Value type is string
- There is no default value
The URL to send the request to. The value can be fetched from event fields.
verb
edit-
Value type can be either
"GET"
,"HEAD"
,"PATCH"
,"DELETE"
,"POST"
,"PUT"
-
Default value is
"GET"
The verb to be used for the HTTP request.
HTTP Filter Connectivity Options
editautomatic_retries
edit- Value type is number
-
Default value is
1
How many times should the client retry a failing URL. We highly recommend NOT setting this value
to zero if keepalive is enabled. Some servers incorrectly end keepalives early requiring a retry!
Note: if retry_non_idempotent
is set only GET, HEAD, PUT, DELETE, OPTIONS, and TRACE requests will be retried.
cacert
editDeprecated in 1.5.0.
Replaced by ssl_certificate_authorities
- Value type is path
- There is no default value for this setting.
If you need to use a custom X.509 CA (.pem certs) specify the path to that here
client_cert
editDeprecated in 1.5.0.
Replaced by ssl_certificate
- Value type is path
- There is no default value for this setting.
If you’d like to use a client certificate (note, most people don’t want this) set the path to the x509 cert here
client_key
editDeprecated in 1.5.0.
Replaced by ssl_key
- Value type is path
- There is no default value for this setting.
If you’re using a client certificate specify the path to the encryption key here
connect_timeout
edit- Value type is number
-
Default value is
10
Timeout (in seconds) to wait for a connection to be established. Default is 10s
cookies
edit- Value type is boolean
-
Default value is
true
Enable cookie support. With this enabled the client will persist cookies across requests as a normal web browser would. Enabled by default
follow_redirects
edit- Value type is boolean
-
Default value is
true
Should redirects be followed? Defaults to true
keepalive
edit- Value type is boolean
-
Default value is
true
Turn this on to enable HTTP keepalive support. We highly recommend setting automatic_retries
to at least
one with this to fix interactions with broken keepalive implementations.
keystore
editDeprecated in 1.5.0.
Replaced by ssl_keystore_path
- Value type is path
- There is no default value for this setting.
If you need to use a custom keystore (.jks
) specify that here. This does not work with .pem keys!
keystore_password
editDeprecated in 1.5.0.
Replaced by ssl_keystore_password
- Value type is password
- There is no default value for this setting.
Specify the keystore password here. Note, most .jks files created with keytool require a password!
keystore_type
editDeprecated in 1.5.0.
Replaced by ssl_keystore_type
- Value type is string
-
Default value is
"JKS"
Specify the keystore type here. One of JKS
or PKCS12
. Default is JKS
password
edit- Value type is password
- There is no default value for this setting.
Password to be used in conjunction with the username for HTTP authentication.
pool_max
edit- Value type is number
-
Default value is
50
Max number of concurrent connections. Defaults to 50
pool_max_per_route
edit- Value type is number
-
Default value is
25
Max number of concurrent connections to a single host. Defaults to 25
proxy
edit- Value type is string
- There is no default value for this setting.
If you’d like to use an HTTP proxy . This supports multiple configuration syntaxes:
-
Proxy host in form:
http://proxy.org:1234
-
Proxy host in form:
{host => "proxy.org", port => 80, scheme => 'http', user => 'username@host', password => 'password'}
-
Proxy host in form:
{url => 'http://proxy.org:1234', user => 'username@host', password => 'password'}
request_timeout
edit- Value type is number
-
Default value is
60
Timeout (in seconds) for the entire request.
retry_non_idempotent
edit- Value type is boolean
-
Default value is
false
If automatic_retries
is enabled this will cause non-idempotent HTTP verbs (such as POST) to be retried.
socket_timeout
edit- Value type is number
-
Default value is
10
Timeout (in seconds) to wait for data on the socket. Default is 10s
ssl_certificate
edit- Value type is path
- There is no default value for this setting.
SSL certificate to use to authenticate the client. This certificate should be an OpenSSL-style X.509 certificate file.
This setting can be used only if ssl_key
is set.
ssl_certificate_authorities
edit- Value type is a list of path
- There is no default value for this setting
The .cer or .pem CA files to validate the server’s certificate.
ssl_cipher_suites
edit- Value type is a list of string
- There is no default value for this setting
The list of cipher suites to use, listed by priorities. Supported cipher suites vary depending on the Java and protocol versions.
ssl_enabled
edit- Value type is boolean
-
Default value is
true
Enable SSL/TLS secured communication. It must be true
for other ssl_
options
to take effect.
ssl_key
edit- Value type is path
- There is no default value for this setting.
OpenSSL-style RSA private key that corresponds to the ssl_certificate
.
This setting can be used only if ssl_certificate
is set.
ssl_keystore_password
edit- Value type is password
- There is no default value for this setting.
Set the keystore password
ssl_keystore_path
edit- Value type is path
- There is no default value for this setting.
The keystore used to present a certificate to the server.
It can be either .jks
or .p12
ssl_keystore_type
edit-
Value can be any of:
jks
,pkcs12
- If not provided, the value will be inferred from the keystore filename.
The format of the keystore file. It must be either jks
or pkcs12
.
ssl_supported_protocols
edit- Value type is string
-
Allowed values are:
'TLSv1.1'
,'TLSv1.2'
,'TLSv1.3'
-
Default depends on the JDK being used. With up-to-date Logstash, the default is
['TLSv1.2', 'TLSv1.3']
.'TLSv1.1'
is not considered secure and is only provided for legacy applications.
List of allowed SSL/TLS versions to use when establishing a connection to the HTTP endpoint.
For Java 8 'TLSv1.3'
is supported only since 8u262 (AdoptOpenJDK), but requires that you set the
LS_JAVA_OPTS="-Djdk.tls.client.protocols=TLSv1.3"
system property in Logstash.
If you configure the plugin to use 'TLSv1.1'
on any recent JVM, such as the one packaged with Logstash,
the protocol is disabled by default and needs to be enabled manually by changing jdk.tls.disabledAlgorithms
in
the $JDK_HOME/conf/security/java.security configuration file. That is, TLSv1.1
needs to be removed from the list.
ssl_truststore_password
edit- Value type is password
- There is no default value for this setting.
Set the truststore password
ssl_truststore_path
edit- Value type is path
- There is no default value for this setting.
The truststore to validate the server’s certificate.
It can be either .jks
or .p12
.
ssl_truststore_type
edit-
Value can be any of:
jks
,pkcs12
- If not provided, the value will be inferred from the truststore filename.
The format of the truststore file. It must be either jks
or pkcs12
.
ssl_verification_mode
edit- Value type is string
-
Supported values are:
full
,none
-
Default value is
full
Controls the verification of server certificates.
The full
option verifies that the provided certificate is signed by a trusted authority (CA)
and also that the server’s hostname (or IP address) matches the names identified within the certificate.
The none
setting performs no verification of the server’s certificate.
This mode disables many of the security benefits of SSL/TLS and should only be used after cautious consideration.
It is primarily intended as a temporary diagnostic mechanism when attempting to resolve TLS errors.
Using none
in production environments is strongly discouraged.
truststore
editDeprecated in 1.5.0.
Replaced by ssl_truststore_path
- Value type is path
- There is no default value for this setting.
If you need to use a custom truststore (.jks
) specify that here. This does not work with .pem certs!
truststore_password
editDeprecated in 1.5.0.
Replaced by ssl_truststore_password
- Value type is password
- There is no default value for this setting.
Specify the truststore password here. Note, most .jks files created with keytool require a password!
truststore_type
editDeprecated in 1.5.0.
Replaced by ssl_truststore_type
- Value type is string
-
Default value is
"JKS"
Specify the truststore type here. One of JKS
or PKCS12
. Default is JKS
user
edit- Value type is string
- There is no default value for this setting.
Username to use with HTTP authentication for ALL requests. Note that you can also set this per-URL.
If you set this you must also set the password
option.
validate_after_inactivity
edit- Value type is number
-
Default value is
200
How long to wait before checking for a stale connection to determine if a keepalive request is needed. Consider setting this value lower than the default, possibly to 0, if you get connection errors regularly.
This client is based on Apache Commons. Here’s how the Apache Commons documentation describes this option: "Defines period of inactivity in milliseconds after which persistent connections must be re-validated prior to being leased to the consumer. Non-positive value passed to this method disables connection validation. This check helps detect connections that have become stale (half-closed) while kept inactive in the pool."
Common options
editThese configuration options are supported by all filter plugins:
Setting | Input type | Required |
---|---|---|
No |
||
No |
||
No |
||
No |
||
No |
||
No |
||
No |
add_field
edit- Value type is hash
-
Default value is
{}
If this filter is successful, add any arbitrary fields to this event.
Field names can be dynamic and include parts of the event using the %{field}
.
Example:
filter { http { add_field => { "foo_%{somefield}" => "Hello world, from %{host}" } } }
# You can also add multiple fields at once: filter { http { add_field => { "foo_%{somefield}" => "Hello world, from %{host}" "new_field" => "new_static_value" } } }
If the event has field "somefield" == "hello"
this filter, on success,
would add field foo_hello
if it is present, with the
value above and the %{host}
piece replaced with that value from the
event. The second example would also add a hardcoded field.
add_tag
edit- Value type is array
-
Default value is
[]
If this filter is successful, add arbitrary tags to the event.
Tags can be dynamic and include parts of the event using the %{field}
syntax.
Example:
filter { http { add_tag => [ "foo_%{somefield}" ] } }
# You can also add multiple tags at once: filter { http { add_tag => [ "foo_%{somefield}", "taggedy_tag"] } }
If the event has field "somefield" == "hello"
this filter, on success,
would add a tag foo_hello
(and the second example would of course add a taggedy_tag
tag).
enable_metric
edit- Value type is boolean
-
Default value is
true
Disable or enable metric logging for this specific plugin instance. By default we record all the metrics we can, but you can disable metrics collection for a specific plugin.
id
edit- Value type is string
- There is no default value for this setting.
Add a unique ID
to the plugin configuration. If no ID is specified, Logstash will generate one.
It is strongly recommended to set this ID in your configuration. This is particularly useful
when you have two or more plugins of the same type, for example, if you have 2 http filters.
Adding a named ID in this case will help in monitoring Logstash when using the monitoring APIs.
filter { http { id => "ABC" } }
Variable substitution in the id
field only supports environment variables
and does not support the use of values from the secret store.
periodic_flush
edit- Value type is boolean
-
Default value is
false
Call the filter flush method at regular interval. Optional.
remove_field
edit- Value type is array
-
Default value is
[]
If this filter is successful, remove arbitrary fields from this event. Fields names can be dynamic and include parts of the event using the %{field} Example:
filter { http { remove_field => [ "foo_%{somefield}" ] } }
# You can also remove multiple fields at once: filter { http { remove_field => [ "foo_%{somefield}", "my_extraneous_field" ] } }
If the event has field "somefield" == "hello"
this filter, on success,
would remove the field with name foo_hello
if it is present. The second
example would remove an additional, non-dynamic field.
remove_tag
edit- Value type is array
-
Default value is
[]
If this filter is successful, remove arbitrary tags from the event.
Tags can be dynamic and include parts of the event using the %{field}
syntax.
Example:
filter { http { remove_tag => [ "foo_%{somefield}" ] } }
# You can also remove multiple tags at once: filter { http { remove_tag => [ "foo_%{somefield}", "sad_unwanted_tag"] } }
If the event has field "somefield" == "hello"
this filter, on success,
would remove the tag foo_hello
if it is present. The second example
would remove a sad, unwanted tag as well.
On this page
- Getting help
- Description
- Compatibility with the Elastic Common Schema (ECS)
- HTTP Filter Configuration Options
body
body_format
ecs_compatibility
headers
query
target_body
target_headers
url
verb
- HTTP Filter Connectivity Options
automatic_retries
cacert
client_cert
client_key
connect_timeout
cookies
follow_redirects
keepalive
keystore
keystore_password
keystore_type
password
pool_max
pool_max_per_route
proxy
request_timeout
retry_non_idempotent
socket_timeout
ssl_certificate
ssl_certificate_authorities
ssl_cipher_suites
ssl_enabled
ssl_key
ssl_keystore_password
ssl_keystore_path
ssl_keystore_type
ssl_supported_protocols
ssl_truststore_password
ssl_truststore_path
ssl_truststore_type
ssl_verification_mode
truststore
truststore_password
truststore_type
user
validate_after_inactivity
- Common options
add_field
add_tag
enable_metric
id
periodic_flush
remove_field
remove_tag
ElasticON events are back!
Learn about the Elastic Search AI Platform from the experts at our live events.
Register now