Logstash output http from a curl command

stcdarrell · April 16, 2020, 5:53pm

hi, i need to go from logstash to a web restAPI, i'm having trouble converting a curl command into the output { http {}} format. any suggestions would be appreciated.. there arent many examples..

This is the curl command that works:
curl -X PUT "http://192.168.4.148:5000/indicators" -H "accept: application/json" -H "Content-Type: application/json" -d '{"indicator":"%{src_ip}", "group": "everyone", "provider": "laFusionCenter:%{type}", "confidence":"4", "tlp":"green", "count":"%{count}"}'

I * think * I’d want to use format “message” and the message being you json string..
any suggestions or help would be appreciated.

stcdarrell · April 17, 2020, 2:15pm

I'm closer, but still getting errors, any suggestions would be appreciated
output {
elasticsearch {
hosts => ["http://192.168.4.140:9200"]
index => "tpot19-%{+yyyy-MM}"
}
http {
url => "http://csirtg.io/api/users/darrell/feeds/HP19/indicators/"
http_method => "post"
format => "json"
message => "{ "indicator": { "indicator": %{src_ip}, "itype": "ipv4", "description": "tsec honeypot19 - %{type}", "tags": [ "honeypot-%{type}" ] }}"

        headers => {
                "Authorization" => "d82b91dcc2c6190d49c8XXXXXXXXXXXX"
                "accept" => "application/json"
        } #end headers
  }
}

stcdarrell · April 26, 2020, 2:53am

i finally got it.. i needed a "put" not a "post" and my message was off:

output {
  elasticsearch {
    hosts => ["http://192.168.4.140:9200"]
    index => "tpot19-%{+yyyy-MM}"
  }
  http {
                url => "http://192.168.4.148:5000/indicators"
                http_method => "put"
                content_type => "application/json"
                format => "message"
                message => '[
                                {
                                        "indicator": "%{src_ip}",
                                        "group": "everyone",
                                        "itype": "ipv4",
                                        "tlp": "green",
                                        "provider": "center",
                                        "confidence": 4,
                                        "tags": %{tags}
                        }
                ]'
                headers => {
                        'Accept' => 'application/json'
                        'Content-type' => 'application/json'
                } #end headers
  }
}

system · May 24, 2020, 2:53am

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.