Logstash HTTP POST : Filter or Output (which would be better) also not wait for response?

i'm working on an interesting project. I have a honeypot (tpot19 https://github.com/dtag-dev-sec/tpotce) that gathers threat intelligence info. Its back end is ELK. i need to send this info to another platform that uses a REST API.

I can send it either in a filter { HTTP {blah blah blah} } or an Output { HTTP{blah blah blah}}

i've got it working with the filter http.. but its VERY slow.. ridiculously slow.. i think its waiting on a response from the REST API. i dont need it to respond or wait for a response.. i've looked through the docs and i dont see anything to tell it not to wait for response.

as for the output {HTTP{}}, the format configuration options seem completely different than the filter version of HTTP. same question.. would this be a better choice? is there an option to tell it not to wait on a response from the other server? i dont see anything in the documentation.

Here is the filter version of the HTTP Post, this works but is VERY slow...

filter {
        http {
                url => ""

                body => {                        # hash (optional, available for method => "get" and "post$
                        "indicator" => "%{[src_ip]}"
                        "group" => "everyone"
                        "provider" => "HoneyPot"
                        "confidence" => "4"
                        "tlp" => "green"
                verb => POST
                body_format => json
                headers => {
                        "Authorization" => "03ae4a2de8e5a017d41d213e1dbb446583c88db9fXXXXX"
                        "accept" => "application/json"
                } #end headers
                automatic_retries => 4
                target_headers => "[threat][headers]"
                target_body => "[threat][body]"
        } # end http
}#end filter 

Would using the Output {http}} be better/faster?

Here is the curl command i need to send through logstash:
curl -i -k
-H "Content-Type: application/json"
-XPOST -H "Authorization: 41458f0fb710d29af79088eXXXXXX"
-d '{"indicator":"badbadplace.com", "group": "everyone", "provider": "Honeypot", "confidence":"4", "tlp":"green"}'

i dont understand if i need to using "mapping" or "body"

any suggestions would be appreciated

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.