email@example.com,I have the exact same issue. I need to inject specific HTTP headers into my POST messages if I was to send events to Elasticsearch because we have X-Pack security enabled in our Elastic stack clusters.
According to this thread, Re: HTTP Headers in Alert Actions - POST/Get URL , the GET/POST JSON feature in the alert actions is highly limited and does NOT allow you to add or edit the HTTP headers. Only simple POST messages work using this feature.
So instead there are two options:
- POST the message to a Logstash endpoint instead of Elasticsearch directly -- or equivalent alternative like Graylog or something like that. When using Logstash have your pipeline input listen for the JSON data (you choose the TCP port), filter if needed, then output to your desired Elasticsearch index.
- Use an alert action to execute a custom powershell script. This is the closest example on Thwack: Alert Action using powershell script. In the example, they are trying to POST to Splunk so modifying to POST to Logstash or Elasticsearch instead should be trivial.
- Joey D
Ya cant edit the header at the mo - It's stuck in an old crappy format and JSON is out.
(They've recently made JSON application monitors a thing so I'm hoping for an update)
You've either got to configure your endpoint to accept the current header and body text (values seperated by "=" etc), or export your data to powershell or similar to build the rest of the JSON as Joe said