Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Export http payload #2167

Merged
merged 1 commit into from
Aug 11, 2016
Merged

Export http payload #2167

merged 1 commit into from
Aug 11, 2016

Conversation

monicasarbu
Copy link
Contributor

@monicasarbu monicasarbu commented Aug 3, 2016
edited
Loading

This PR is trying to solve #2143

With this change, the user doesn't need to export the raw request and response in order to index in Elasticsearch the HTTP body. With this PR, the user can specify a list of contact types in the include_body_for configuration option, and export for those HTTP requests/responses the HTTP body under http.request.body or http.response.body.

The PR includes the following changes in the http module of Packetbeat:

  • group fields by request and response, so http.request and http.response are created
  • add headers to http.request and http.response. If send_all_headers is enabled, then all HTTP headers are exported, if it's disabled then only the Content-Type (if it's not empty) and Content-Length are exported.
  • add body to the http.request or http.response if the content-type is part of the include_body_for configuration option.
  • export params under http.request
  • export code and phrase under http.response

Here is how an HTTP event looks like:

{
  "@timestamp": "2016-08-03T11:47:53.404Z",
  "beat": {
    "hostname": "mar.local",
    "name": "mar.local"
  },
  "bytes_in": 1431,
  "bytes_out": 1997,
  "client_ip": "192.168.0.86",
  "client_port": 50752,
  "client_proc": "",
  "client_server": "",
  "http": {
    "request": {
      "body": "...",
      "headers": {
        "accept": "application/json, text/javascript, */*; q=0.01",
        "accept-encoding": "gzip, deflate",
        "accept-language": "en-US,en;q=0.8",
        "connection": "keep-alive",
        "content-length": "943",
        "content-type": "application/x-www-form-urlencoded; charset=UTF-8",
        "host": "192.168.0.86:9200",
        "origin": "chrome-extension://lhjgkmllcaadmopgmanpapmpjgmfcfig",
        "user-agent": "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_11_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.103 Safari/537.36"
      },
      "params": "..."
    },
    "response": {
      "body": "...",
      "code": 200,
      "headers": {
        "content-length": "1909",
        "content-type": "application/json; charset=UTF-8"
      },
      "phrase": "OK"
    }
  },
  "ip": "192.168.0.86",
  "method": "POST",
  "path": "/logstash-*/_search",
  "port": 9200,
  "proc": "",
  "query": "POST /logstash-*/_search",
  "request": "...",
  "response": "...",
  "responsetime": 362,
  "server": "",
  "status": "OK",
  "type": "http"
}

NOTE: the Packetbeat dashboards need to be updated in a separate PR

@monicasarbu monicasarbu added in progress Pull request is currently in progress. Packetbeat labels Aug 3, 2016
@monicasarbu monicasarbu mentioned this pull request Aug 3, 2016
Closed
@monicasarbu monicasarbu added review and removed in progress Pull request is currently in progress. labels Aug 3, 2016
@monicasarbu monicasarbu changed the title Export http body fields Export http payload Aug 3, 2016
@tsg
Copy link
Contributor

tsg commented Aug 4, 2016

We should mention the new body field in the Changelog.

tsg
tsg reviewed Aug 4, 2016
View reviewed changes
packetbeat/docs/reference/configuration/packetbeat-options.asciidoc

Example configuration:
In addition, `http.request.body` and `http.response.body` is exported for all HTTP messages whose content type is part
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

s/is exported/are exported

@monicasarbu
Copy link
Contributor Author

All the comments were addressed.

@monicasarbu
Copy link
Contributor Author

The PR is ready for the final review. I added more tests to cover more use cases.

@monicasarbu
Copy link
Contributor Author

monicasarbu commented Aug 9, 2016
edited
Loading

I added a test with a wrong Content-Type value. The POST request generated by Console/Sense/curl contains form-urlencoded in the Content-Type, but the attachment is a JSON object. I opened an issue in Kibana. I adjusted the test to make it pass for now, so the fix is not a blocker.

@monicasarbu monicasarbu force-pushed the add_body_json branch 2 times, most recently from 7fa977e to 2de53f2 Compare August 10, 2016 20:03
monicasarbu added a commit to monicasarbu/beats that referenced this pull request Aug 11, 2016
@monicasarbu
Update the fields as they are named in elastic#2167
148cc5e
This was referenced Aug 11, 2016
Merged
Closed
tsg
tsg reviewed Aug 11, 2016
View reviewed changes
packetbeat/tests/system/test_0062_http_headers.py

assert len(o["http.response.headers"]) > 0
assert "Content-Length" in o["http.response.headers"]
assert "Content-Type" in o["http.response.headers"]
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you intend to check more headers here? Like this it's identical to the test above it.

tsg pushed a commit that referenced this pull request Aug 11, 2016
@monicasarbu @tsg
Fix the range examples from the docs (#2241)
0b84e3f 
* Fix the examples from the docs
* Update the fields as they are named in #2167
* A few more field names updates
@tsg tsg merged commit 7692cb6 into elastic:master Aug 11, 2016
dedemorton added a commit to dedemorton/beats that referenced this pull request Aug 27, 2016
@dedemorton
Fix examples for changes in elastic#2167
da5d7a5
monicasarbu pushed a commit that referenced this pull request Aug 29, 2016
@dedemorton @monicasarbu
Fix examples for changes in #2167 (#2400)
4347910
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
Packetbeat review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@monicasarbu @tsg