Logstash and http-output plugin


#1

hi all,
i've made a config file like this:

input {
    file {
        add_field => {"[@metadata][cl_cert]" => "cert.crt"}
        add_field => {"[@metadata][cl_key]" => "private-key.pem"}
        path => "/var/log/*.json"
        start_position => "beginning"
    }
}

filter {
.................
}

output {
        http {
            http_method => "post"
            automatic_retries => 50
            format => "json"
            url => "https://xxx/xxx.php"
            cacert => "/etc/ssl/certs/xxxx.pem"
            client_cert => "/etc/logstash/%{[@metadata][cl_cert]}"
            client_key => "/etc/logstash/%{[@metadata][cl_key]}"
}

But i obtain this error:

  # This setting must be a path
  # File does not exist or cannot be opened %{[@metadata][client_cert]}
  client_cert => "%{[@metadata][cl_cert]}"


  # This setting must be a path
  # File does not exist or cannot be opened %{[@metadata][client_key]}
  client_key => "%{[@metadata][cl_key]}"

The path is correct and the certificate can be used in the http output plugin if i change these lines

                client_cert => "/etc/logstash/cert.crt"
                client_key => "/etc/logstash/private-key.pem"

How can i avoid this problem?


(Aaron Mildenstein) #2

I don't think that the output settings are configured to do string interpolation (obtain values from fields). This is an interesting and uncommon use-case. I presume that you eventually intend to have multiple keys in the directory, and will dynamically assign them as needed.

The problem is that the http output plugin does not calculate the key for every single event, as this would slow the outbound flow dramatically. Instead, it creates a client connection at start-up, and that requires that the client_cert and client_key be hard-coded at plugin initialization time. If you need to have multiple certificates, your best bet is to use conditionals to route between multiple http output blocks in your configuration, with each having a hard-coded key.


(system) #3