Elastic Agent http_endpoint integration does not allow multiple include headers

[psanz-estc]

In Elastic Agent http_endpoint integration there is a configuration called include_headers.

If you only set a single header here, it is working fine (e.g. only x-real-ip will add the headers.X-Real-Ip field in the indexed document).

As soon as you set multiple headers (e.g. x-real-ip and user-agent), it will not set any headers.* field.

That configuration translates into:

 - data_stream:
      dataset:user-events
    id: http_endpoint-http_endpoint.generic-ad5d8570-0456-11ee-a2d5-1234567890
    include_headers: user-agent,x-real-ip
    listen_address: 0.0.0.0
    listen_port: 8080
    pipeline: logs-user-events
    preserve_original_event: true

But as mentioned, the fields are not populated.

[elasticmachine]

Pinging @elastic/security-external-integrations (Team:Security-External Integrations)

[efd6]

That include_headers value doesn't look right, it should be a sequence, but instead the elements have been catted with a comma. This means that what filebeat will see is a single header "user-agent,x-real-ip". When the JSON API doc is requested, it does show up as an array.