Logstash: HTTP Poller Formatting Issue

I am trying to use the HTTP poller to automate a curl command that I am able to run successfully in my environment. I am trying to run a query, put the results through a pipeline and then send the output to elasticsearch. Right now I am relying on bash scripts. I am trying to make use of the HTTP poller, but I am having issues with formatting the query.

The following is the curl:

curl -X POST -k --header "x-apikey: accesskey=xxxx; secretkey=xxx" https://xxxx/rest/analysis/download -d'
{
"query":{
"id":156002
},
"sourceType":"cumulative",
"sortField":"severity",
"startOffset":0,
"endOffset":100,
"type":"vuln",
"columns":[
{"name":"pluginID"},
{"name":"pluginName"},
{"name":"familyPlugin"},
{"name":"severity"},
{"name":"ip"},
{"name":"protocol"},
{"name":"port"},
{"name":"exploitAvailable"},
{"name":"repositoryID"},
{"name":"macAddress"},
{"name":"dnsName"},
{"name":"netbiosName"},
{"name":"pluginText"},
{"name":"firstSeen"},
{"name":"lastSeen"},
{"name":"exploitFrameworks"},
{"name":"synopsis"},
{"name":"description"},
{"name":"solution"},
{"name":"seeAlso"},
{"name":"riskFactor"},
{"name":"stigSeverity"},
{"name":"baseScore"},
{"name":"temporalScore"},
{"name":"cvssVector"},
{"name":"cpe"},
{"name":"cve"},
{"name":"bid"},
{"name":"xref"},
{"name":"vulnPubDate"},
{"name":"patchPubDate"},
{"name":"pluginPubDate"},
{"name":"PluginModDate"},
{"name":"exploitEase"},
{"name":"checkType"},
{"name":"version"}
]
}'

This is the query I am attempting with the HTTP Poller, but I am having trouble with formatting. I am unable to get the body of the query to run without throwing an error:

input {
    http_poller {
        urls => {
            acas => {
                method => POST
                url => "https://xxxxxx/rest/analysis/download"
                body => '{
                    "query": {
                        "id":156002
                    }
                    {
                        "sourceType":"cumulative",
                        "sortField":"severity",
                        "startOffset":0,
                        "endOffset":100,
                        "type":"vuln",
                        "columns": []
                    }
                }'                    
                headers => {
                    Accept => "application/json"
                    "x-apikey" => "accesskey=xxxxx; secretkey=xxxxx"
                }
            }
        }
        metadata_target => "http_poller_metadata"
        schedule => { "every" => "1m" }
        cacert => "/etc/logstash/certs/public.crt"
    }
}

#filter {
#    mutate {
#        gsub => [ "[http_poller_metadata][request][headers][x-apikey]", ".*", "xxxxxx"]
#    }
#}

output {
    stdout {
        codec => rubydebug
    }
}

Finally, the output that I am getting when I run the above:

{
              "@timestamp" => 2023-03-02T11:47:36.703Z,
              "error_code" => 13,
                "warnings" => [],
                    "type" => "regular",
    "http_poller_metadata" => {
        "response_headers" => {
            "strict-transport-security" => "max-age=31536000; includeSubDomains",
               "x-content-type-options" => "nosniff",
              "content-security-policy" => "default-src 'self'; script-src 'self' pendo-io-static.storage.googleapis.com app.pendo.io cdn.pendo.io pendo-static-6165929460760576.storage.googleapis.com data.pendo.io cdn.metarouter.io e.metarouter.io api.amplitude.com cdn.amplitude.com *.cloudfront.net analytics.cloud.coveo.com platform.cloud.coveo api.tenable.com; connect-src 'self' app.pendo.io data.pendo.io pendo-static-6165929460760576.storage.googleapis.com cdn.metarouter.io e.metarouter.io api.amplitude.com cdn.amplitude.com *.cloudfront.net analytics.cloud.coveo.com platform.cloud.coveo api.tenable.com; img-src 'self' data: cdn.pendo.io app.pendo.io pendo-static-6165929460760576.storage.googleapis.com data.pendo.io; style-src 'self' app.pendo.io cdn.pendo.io pendo-static-6165929460760576.storage.googleapis.com; frame-ancestors 'self' app.pendo.io; form-action 'self'; block-all-mixed-content; upgrade-insecure-requests; object-src 'none'",
                       "content-length" => "139",
                     "x-xss-protection" => "1; mode=block",
                           "connection" => "close",
                                 "vary" => "x-apikey",
                         "content-type" => "text/html; charset=UTF-8",
                                 "date" => "Thu, 02 Mar 2023 11:47:36 GMT",
                               "server" => "Apache",
                        "cache-control" => "no-cache, no-store",
                              "expires" => "Thu, 19 Nov 1981 08:52:00 GMT",
                            "expect-ct" => "max-age=31536000",
                      "x-frame-options" => "DENY",
                               "pragma" => "no-cache",
                           "set-cookie" => "TNS_SESSIONID=5f9ef37e5c5b131375d9be674677c07a; path=/; secure; HttpOnly; SameSite=Strict"
        },
                    "host" => "xxxxx",
                    "name" => "acas",
         "runtime_seconds" => 0.554463,
        "response_message" => "Bad Request",
                    "code" => 400,
           "times_retried" => 0,
                 "request" => {
             "method" => "post",
            "headers" => {
                "x-apikey" => "accesskey=xxxx; secretkey=xxxxx",
                  "Accept" => "application/json"
            },
                "url" => "https://xxxx/rest/analysis/download",
               "body" => "{\n                    \"query\": {\n                        \"id\":156002\n                    }\n                    {\n                        \"sourceType\":\"cumulative\",\n                        \"sortField\":\"severity\",\n                        \"startOffset\":0,\n                        \"endOffset\":100,\n                        \"type\":\"vuln\",\n                        \"columns\": []\n                    }\n                }"
        }
    },
                "response" => "",
               "error_msg" => "This request is not properly formatted.",
                "@version" => "1",
               "timestamp" => 1677757656
}

Thanks!

As it says, that is not properly formatted. At a minimum you need a comma to separate query and sourceType.

Thanks for responding. What do you mean by:

At a minimum you need a copy to separate query and sourceType.

Are you saying comma? If so, I found that made the change and it is still not working.

Yes, I meant comma, not copy.

2023 11 is EOL and no longer supported. Please upgrade ASAP.

(This is an automated response from your friendly Elastic bot. Please report this post if you have any suggestions or concerns :elasticheart: )

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.