I'm trying to get some kind of data enrichment using an API call to Abuse.ch as documents come into the pipeline. The logstash-filter-http plugin seems like the right answer, however it isn't working for what I need it to do. I've tried reinstalling the plugin and it still seems to be giving me the same kind of error. Any help is appreciated!
Debug pipeline: sudo bin/logstash --debug -e ' input { stdin{} } filter { http { url => "https://mb-api.abuse.ch/api/v1/" verb => "POST" body => {"query" => "get_info" "hash" => "7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754"} }} output { stdout { codec => rubydebug }}'
I intend to have it sprintf part of the document into the hash field of the request as well.
A wget example from the API docs: wget --post-data "query=get_info&hash=7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754" https://mb-api.abuse.ch/api/v1/
I'm not sure why this is happening as I assume the syntax is similar to the older logstash-filter-rest. This brings me to another question, are there any up to date examples for this plugin? The documentation here is pretty sparse for examples. The github where the plugin is hosted has an out of date readme without relevant examples.
Are there any alternatives if this plugin won't work?
Sure thing, my mistake. The install image isn't really important.
The error screenshot just says this:
:client_error => "Undefined method encoding for #Hash:
Adding the body_format fixed the initial issue but now there's something weirder.
When it sends the request the abuse.ch API endpoint says its missing a query even though it is in the json hash. I've run the wget example from the same host and it returns the data. What about the http filter plugin is different?
It is not clear to me that the Malware Bazaar API is willing to accept the form_data as JSON in the body of a POST. Try putting it in the URL, as you do with wget.
I've also noticed that it's overwriting my content-type header for some reason. I'm not sure if that would cause the API endpoint to reject it or not. Strange.
Got it!
The Content-Type is very important. The plugin is case-sensitive for headers, I needed to use this command: sudo bin/logstash --debug -e 'input { stdin{} } filter { http { url => "https://mb-api.abuse.ch/api/v1/" verb => "POST" body => "query=get_info&hash=7de2c1bf58bce09eecc70476747d88a26163c3d6bb1d85235c24a558d1f16754" headers => {"Content-Type" => "application/x-www-form-urlencoded"}}} output { stdout { codec => rubydebug }}'
body_format doesn't matter if the type is string, it works with and without it.
Apache, Apache Lucene, Apache Hadoop, Hadoop, HDFS and the yellow elephant
logo are trademarks of the
Apache Software Foundation
in the United States and/or other countries.