How to configure a Logstash HTTP input

A Logstash HTTP input provides a simple webhook-style endpoint for ingesting events from applications, CI/CD jobs, and external services without custom shippers or message brokers.

The http input plugin opens a listener on a chosen host and port, accepts HTTP requests, and turns each request body into a Logstash event. When paired with the json codec, JSON payloads are decoded into event fields for downstream filters and outputs.

Exposing an unauthenticated HTTP listener can leak data or allow event injection, so the listener address and network access controls matter as much as the pipeline itself. Keep the listener bound to localhost when possible, or enforce TLS, authentication, and firewall rules when remote systems must connect.

Steps to configure a Logstash HTTP input:

Create a pipeline configuration file at /etc/logstash/conf.d/20-http-input.conf.
```
input {
  http {
    host => "127.0.0.1"
    port => 8080
    codec => json
  }
}

output {
  elasticsearch {
    hosts => ["http://elasticsearch.example.net:9200"]
    index => "http-events-%{+YYYY.MM.dd}"
  }
}
```
Binding to 127.0.0.1 limits requests to the local host. Changing host to 0.0.0.0 exposes the listener on all interfaces and requires TLS, authentication, and firewall rules.

Test the pipeline configuration.

$ sudo /usr/share/logstash/bin/logstash --path.settings /etc/logstash --config.test_and_exit
Using bundled JDK: /usr/share/logstash/jdk
Sending Logstash logs to /var/log/logstash which is now configured via log4j2.properties
[2026-01-07T11:49:38,961][WARN ][logstash.runner          ] NOTICE: Running Logstash as a superuser is strongly discouraged as it poses a security risk. Set 'allow_superuser' to false for better security.
[2026-01-07T11:49:38,966][INFO ][logstash.runner          ] Starting Logstash {"logstash.version"=>"8.19.9", "jruby.version"=>"jruby 9.4.9.0 (3.1.4) 2024-11-04 547c6b150e OpenJDK 64-Bit Server VM 21.0.9+10-LTS on 21.0.9+10-LTS +indy +jit [aarch64-linux]"}
##### snipped #####
[2026-01-07T11:49:39,840][INFO ][logstash.javapipeline    ] Pipeline `main` is configured with `pipeline.ecs_compatibility: v8` setting. All plugins in this pipeline will default to `ecs_compatibility => v8` unless explicitly configured otherwise.
Configuration OK
[2026-01-07T11:49:39,840][INFO ][logstash.runner          ] Using config.test_and_exit mode. Config Validation Result: OK. Exiting Logstash

Restart the Logstash service.
```
$ sudo systemctl restart logstash
```
Related: How to manage the Logstash service with systemctl in Linux

Check the Logstash service status for a running state and recent errors.

$ sudo systemctl status logstash --no-pager
● logstash.service - logstash
     Loaded: loaded (/usr/lib/systemd/system/logstash.service; enabled; preset: enabled)
     Active: active (running) since Wed 2026-01-07 11:50:13 UTC; 2s ago
   Main PID: 23536 (java)
      Tasks: 31 (limit: 28486)
     Memory: 384.4M (peak: 384.5M)
        CPU: 9.818s
##### snipped #####
Jan 07 11:50:13 host systemd[1]: Started logstash.service - logstash.
Jan 07 11:50:13 host logstash[23536]: Using bundled JDK: /usr/share/logstash/jdk

Verify Logstash is listening on port 8080.

$ sudo ss -lntp | grep -E '8080'
LISTEN 0      128    [::ffff:127.0.0.1]:8080             *:*    users:(("java",pid=23536,fd=170))

Send a test JSON event to the HTTP input endpoint.

$ curl -s -i -X POST 'http://127.0.0.1:8080' -H 'Content-Type: application/json' -d '{"message":"hello from http input 2026-01-07T11:51:28Z","service":"webhook"}'
HTTP/1.1 200 OK
content-length: 2
content-type: text/plain

ok

Payload decoding depends on the codec setting and request Content-Type.

Search the target Elasticsearch index for the test event.

$ curl -s 'http://elasticsearch.example.net:9200/http-events-*/_search?q=service:webhook%20AND%20message:%22hello%20from%20http%20input%202026-01-07T11:51:28Z%22&pretty'
{
  "took" : 13,
  "timed_out" : false,
  "_shards" : {
    "total" : 1,
    "successful" : 1,
    "skipped" : 0,
    "failed" : 0
  },
  "hits" : {
    "total" : {
      "value" : 1,
      "relation" : "eq"
    },
    "max_score" : 27.213663,
    "hits" : [
      {
        "_index" : "http-events-2026.01.07",
        "_id" : "wtVLmJsBMfcBipKWat4I",
        "_score" : 27.213663,
        "_source" : {
          "@timestamp" : "2026-01-07T11:50:37.715921926Z",
          "user_agent" : {
            "original" : "curl/8.5.0"
          },
          "host" : {
            "ip" : "127.0.0.1"
          },
          "http" : {
            "method" : "POST",
            "request" : {
              "body" : {
                "bytes" : "76"
              },
              "mime_type" : "application/json"
            },
            "version" : "HTTP/1.1"
          },
          "event" : {
            "original" : "{\"message\":\"hello from http input 2026-01-07T11:51:28Z\",\"service\":\"webhook\"}"
          },
          "service" : "webhook",
          "message" : "hello from http input 2026-01-07T11:51:28Z",
          "@version" : "1",
          "url" : {
            "domain" : "127.0.0.1",
            "path" : "/",
            "port" : 8080
          },
          "ingest_source" : "beats"
        }
      }
    ]
  }
}

Clusters with security enabled may require TLS and authentication on the request.

Author: Mohd Shakir Zakaria
Mohd Shakir Zakaria is a cloud architect with deep roots in software development and open-source advocacy. Certified in AWS, Red Hat, VMware, ITIL, and Linux, he specializes in designing and managing robust cloud and on-premises infrastructures.