-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Filebeat][New Input] Http Input #18298
Conversation
Pinging @elastic/siem (Team:SIEM) |
💚 Build SucceededExpand to view the summary
Build stats
Test stats 🧪
|
@kvch Added first iteration of docs, let me know if it looks okay :) Do I need to add it anywhere else as well? I don't think it will be automatically included by just creating a new asciidoc in the inputs docs folder. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some more thoughts as I incrementally work through this 🙂
return http.StatusUnsupportedMediaType, in.createErrorMessage("Wrong Content-Type header, expecting application/json") | ||
} | ||
|
||
if r.Header.Get("Accept") != "application/json" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, my previous comment about overriding headers mainly stems from this line. The Accept
header checking seems to indicate that we're always going to respond with a Content-Type: application/json
header--but the fact that we allow the response headers to be overridden in the config actually breaks this. Nothing currently prevents the user from doing something like:
{beatname_lc}.inputs:
- type: http_endpoint
...
response_body: '<message>success</message>'
response_header: '{"Content-Type": "application/xml"}'
If we're actually wanting to make sure we always hand back json
I'd do two things:
- Always set the
Content-Type: application/json
header and ignore what the user may specify in the config - Validate the response value that the user specifies in
response_body
is actually valid JSON.
@andrewstucki
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM. Once all questions are resolved, I am OK with merging it.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Last comment and then I think I'm good on this
Username string `config:"username"` | ||
Password string `config:"password"` | ||
ResponseCode int `config:"response_code" validate:"positive"` | ||
ResponseBody string `config:"response_body"` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If we're going to hardcode that this is a JSON-based response, I think we should likely still sanity check that the user actually entered JSON. You could just make a Validate
method for the config
structure and inside do something like
func (c *config) Validate() error {
if !json.Valid(c.ResponseBody) {
return errors.New("response_body must be valid JSON")
}
// other validations here
return nil
}
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Added the validation, just had to convert it from a string to a byteslice as well.
New return upon wrong response body is:
2020-05-25T08:43:01.744+0200 ERROR instance/beat.go:931 Exiting: Failed to start crawler: starting input failed: Error while initializing input: response_body must be valid JSON accessing 'filebeat.inputs.0' (source:'filebeat.yml')
Exiting: Failed to start crawler: starting input failed: Error while initializing input: response_body must be valid JSON accessing 'filebeat.inputs.0' (source:'filebeat.yml')
Should now be ready for merge and backport :) |
jenkins, test this please |
jenkins run tests |
## What does this PR do? This filebeat input configures a HTTP port listener, accepting JSON formatted POST requests, which again is formatted into a event, initially the event is created with the "json." prefix and expects the ingest pipeline to mutate the event during ingestion. The initial set of features is based on the Logstash input plugin, but implemented differently: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-http.html ## Why is it important? This idea is based on a few different scenarios: - The user already has a large beats installation and no Logstash, and do not want to install Logstash solely for a single feature. - HTTP Input allows applications to be directly integrated with Elastic, without needing connectivity to Elasticsearch directly (or Logstash). - Allows us to integrate and create modules for any product that supports HTTP POST events like SOAR, cloud applications, ticketing systems etc etc. ## Features currently implemented - HTTP Basic Auth On/Off - HTTP/HTTPS configurable - Listening interface and port configurable - Response code on success configurable - Response body on success configurable - Response header on success configurable - Proper HTTP codes on both success and error responses - Message prefix configurable - URL to post to is configurable - SSL path to cert, key and CA is configurable. (cherry picked from commit 0b84f0a)
## What does this PR do? This filebeat input configures a HTTP port listener, accepting JSON formatted POST requests, which again is formatted into a event, initially the event is created with the "json." prefix and expects the ingest pipeline to mutate the event during ingestion. The initial set of features is based on the Logstash input plugin, but implemented differently: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-http.html ## Why is it important? This idea is based on a few different scenarios: - The user already has a large beats installation and no Logstash, and do not want to install Logstash solely for a single feature. - HTTP Input allows applications to be directly integrated with Elastic, without needing connectivity to Elasticsearch directly (or Logstash). - Allows us to integrate and create modules for any product that supports HTTP POST events like SOAR, cloud applications, ticketing systems etc etc. ## Features currently implemented - HTTP Basic Auth On/Off - HTTP/HTTPS configurable - Listening interface and port configurable - Response code on success configurable - Response body on success configurable - Response header on success configurable - Proper HTTP codes on both success and error responses - Message prefix configurable - URL to post to is configurable - SSL path to cert, key and CA is configurable. (cherry picked from commit 0b84f0a) Co-authored-by: Marius Iversen <pillus@chasenet.org>
What does this PR do?
This filebeat input configures a HTTP port listener, accepting JSON formatted POST requests, which again is formatted into a event, initially the event is created with the "json." prefix and expects the ingest pipeline to mutate the event during ingestion.
The initial set of features is based on the Logstash input plugin, but implemented differently: https://www.elastic.co/guide/en/logstash/current/plugins-inputs-http.html
Why is it important?
This idea is based on a few different scenarios:
Features currently implemented
HTTP Basic Auth On/Off
HTTP/HTTPS configurable
Listening interface and port configurable
Response code on success configurable
Response body on success configurable
Response header on success configurable
Proper HTTP codes on both success and error responses
Message prefix configurable
URL to post to is configurable
SSL path to cert, key and CA is configurable.
TODO
Checklist
CHANGELOG.next.asciidoc
orCHANGELOG-developer.next.asciidoc
.