2 Replies Latest reply on Jul 18, 2019 4:10 AM by adam.beedell

    Cannot send a post JSON to elasticsearch, on a alert

    benoit.dorval@promutuel.ca

      Outside of ORION,  the request is good.  We can post the same request whitout problem in a other editor (good url, good body).

       

      We need to specify the header, to :" Content-Type: application/json; charset=utf-8 ", but we don't understand how.

       

      How do we set the headear parameter for a post (in the alert context)?

       

      Context: When an alert occur, we want to send a post to elasticsearch.

      Context: Send a message

      A error occur.

      An error occur

        • Re: Cannot send a post JSON to elasticsearch, on a alert
          joedissmeyer

          benoit.dorval@promutuel.ca,I have the exact same issue. I need to inject specific HTTP headers into my POST messages if I was to send events to Elasticsearch because we have X-Pack security enabled in our Elastic stack clusters.

           

          According to this thread, Re: HTTP Headers in Alert Actions - POST/Get URL , the GET/POST JSON feature in the alert actions is highly limited and does NOT allow you to add or edit the HTTP headers. Only simple POST messages work using this feature.

           

          So instead there are two options:

          1. POST the message to a Logstash endpoint instead of Elasticsearch directly -- or equivalent alternative like Graylog or something like that. When using Logstash have your pipeline input listen for the JSON data (you choose the TCP port), filter if needed, then output to your desired Elasticsearch index.
          2. Use an alert action to execute a custom powershell script. This is the closest example on Thwack: Alert Action using powershell script. In the example, they are trying to POST to Splunk so modifying to POST to Logstash or Elasticsearch instead should be trivial.

           

          - Joey D

          • Re: Cannot send a post JSON to elasticsearch, on a alert
            adam.beedell

            Ya cant edit the header at the mo - It's stuck in an old crappy format and JSON is out.

            (They've recently made JSON application monitors a thing so I'm hoping for an update)

             

            You've either got to configure your endpoint to accept the current header and body text (values seperated by "=" etc), or export your data to powershell or similar to build the rest of the JSON as Joe said