Is it possible to post JSON to logstash directly outside of a BEAT?

Good morning,

Does anyone know if it's possible to post data to logstash via something like this:

invoke-webrequest -uri $uri -ContentType 'application/json' -body $body

We have our pipeline on logstash listening on port 5044. I know it's also listening on 9600, but I want the events to go through my already defined config for 5044.

Thanks.

If you are using an http input then you can do that. If you are using a beats input (which the use of port 5044 suggests) then no, since that speaks lumberjack, not HTTP.

Thanks Badger.

For anyone else that comes across this post, I ended up having to do a few things on our logstash server config:

First, I edited the pipelines.yml in \etc\logstash\ to include this text:

- pipeline.id: httpbeat
  path.config: "/etc/logstash/conf.d/httpbeat.conf"
  pipeline.batch.size: 125
  pipeline.workers: 2

Then, I created a httpbeat.conf in \etc\logstash\config.d\:

input {
	http {
		port => 5045
	}
}

output {
  if "_grokparsefailure" not in [tags] {
	elasticsearch {
		hosts => ["https://ES:9200","https://ES:9200"]
		truststore => "/etc/logstash/certs/cacerts"
		truststore_password => "changeit"
		index => "httpbeat-%{+YYYY.MM.dd}"
		user => USER
		password => PASSWORD
	}
  }
}

As a test, some garbage data from powershell_ise:

$data = @()
$num = 1..4 | %{$results = "" | select Name,Time;$results.name=$env:COMPUTERNAME;$results.time=$(get-date -f G);$data+=$results}
$body = ConvertTo-Json $data -Compress
$uri = "http://LS:5045"
Invoke-RestMethod -Method Post -Uri $uri -ContentType 'application/json'-Body $body -ErrorAction Stop

And in Kibana I see this was posted:

{
  "_index": "httpbeat-2019.06.12",
  "_type": "doc",
  "_id": "ID",
  "_version": 1,
  "_score": null,
  "_source": {
    "@version": "1",
    "@timestamp": "2019-06-12T15:28:49.545Z",
    "Name": "PCNAME",
    "host": "IP",
    "Time": "6/12/2019 10:28:49 AM",
    "headers": {
      "http_user_agent": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.503",
      "request_path": "/",
      "http_accept": null,
      "http_host": "LS:5045",
      "content_type": "application/json",
      "content_length": "209",
      "http_version": "HTTP/1.1",
      "request_method": "POST"
    }
  },
  "fields": {
    "@timestamp": [
      "2019-06-12T15:28:49.545Z"
    ]
  },
  "sort": [
    1560353329545
  ]
}

Progress, not sure why it didn't include any of the JSON I attempted to post in the body... Badger any ideas?

This is the JSON I tried to post:

EDIT

[{"Name":"PCNAME","Time":"6/12/2019 10:28:49 AM"},{"Name":"PCNAME","Time":"6/12/2019 10:28:49 AM"},{"Name":"PCNAME","Time":"6/12/2019 10:28:49 AM"},{"Name":"PCNAME","Time":"6/12/2019 10:28:49 AM"}]

This works as expected:

Invoke-RestMethod -Method Post -Uri uri -ContentType 'application/json'-Body ((gwmi win32_computersystem | select Domain,Manufacturer,Model,Name | ConvertTo-Json -Compress)) -ErrorAction Stop

JSON from Kibana:

{
"_index": "httpbeat-2019.06.12",
"_type": "doc",
"_id": "ID",
"_version": 1,
"_score": null,
"_source": {
"@version": "1",
"@timestamp": "2019-06-12T15:54:06.141Z",
"Manufacturer": "HP",
"Name": "PCNAME",
"Model": "HP EliteBook 840 G5",
"host": "IP",
"headers": {
"http_user_agent": "Mozilla/5.0 (Windows NT; Windows NT 10.0; en-US) WindowsPowerShell/5.1.17763.503",
"request_path": "/",
"http_accept": null,
"http_host": "LS:5045",
"content_type": "application/json",
"content_length": "92",
"http_version": "HTTP/1.1",
"request_method": "POST"
},
"Domain": "domain.com"
},
"fields": {
"@timestamp": [
"2019-06-12T15:54:06.141Z"
]
},
"sort": [
1560354846141
]
}

Thanks again Badger.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.