Logstash output http from a curl command

hi, i need to go from logstash to a web restAPI, i'm having trouble converting a curl command into the output { http {}} format. any suggestions would be appreciated.. there arent many examples..

This is the curl command that works:
curl -X PUT "http://192.168.4.148:5000/indicators" -H "accept: application/json" -H "Content-Type: application/json" -d '{"indicator":"%{src_ip}", "group": "everyone", "provider": "laFusionCenter:%{type}", "confidence":"4", "tlp":"green", "count":"%{count}"}'

I * think * I’d want to use format “message” and the message being you json string..
any suggestions or help would be appreciated.

I'm closer, but still getting errors, any suggestions would be appreciated
output {
elasticsearch {
hosts => ["http://192.168.4.140:9200"]
index => "tpot19-%{+yyyy-MM}"
}
http {
url => "http://csirtg.io/api/users/darrell/feeds/HP19/indicators/"
http_method => "post"
format => "json"
message => "{ "indicator": { "indicator": %{src_ip}, "itype": "ipv4", "description": "tsec honeypot19 - %{type}", "tags": [ "honeypot-%{type}" ] }}"

        headers => {
                "Authorization" => "d82b91dcc2c6190d49c8XXXXXXXXXXXX"
                "accept" => "application/json"
        } #end headers
  }
}

i finally got it.. i needed a "put" not a "post" and my message was off:

output {
  elasticsearch {
    hosts => ["http://192.168.4.140:9200"]
    index => "tpot19-%{+yyyy-MM}"
  }
  http {
                url => "http://192.168.4.148:5000/indicators"
                http_method => "put"
                content_type => "application/json"
                format => "message"
                message => '[
                                {
                                        "indicator": "%{src_ip}",
                                        "group": "everyone",
                                        "itype": "ipv4",
                                        "tlp": "green",
                                        "provider": "center",
                                        "confidence": 4,
                                        "tags": %{tags}
                        }
                ]'
                headers => {
                        'Accept' => 'application/json'
                        'Content-type' => 'application/json'
                } #end headers
  }
}

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.