Log Insight: Using the Ingestion API

As I am sure you know, Log Insight 2.0 features an ingestion API, which makes it possible to ingest information without use of the syslog protocol. The API uses a JSON string to send events to Log Insight and also supports the ability to pass fields during ingestion time. An example of a JSON message would be:

Depending on your operating system, you have a variety tools to send API events like the above. For example:

Depending on the method you choose and the format in which you pass the information you will get one of the following return codes:

  • 200 OK
  • 400 Bad Request
  • 500 Internal Server Error
  • 503 Service Unavailable

Unless you receive 200 OK something is wrong that needs to be corrected. If you get 503 Service Unavailable then the issue is either server-side or network related. The 400 and 500 error codes point to a client-side error. The question becomes, how do you fix client-side errors?

api

URL

Verify that the URL being used is in the right format:

Where:

  • _loginsight_ is the FQDN/hostname/IP of your Log Insight instance
  • _agentId_ is a unique identifier for the device sending events to Log Insight

Note:

The _agentId_ does not require the use of the Log Insight Windows agent. The <agentId> is meant to uniquely identify the device sending events to Log Insight like the hostname field does in the syslog protocol.

An example of a valid URL is provided in the documentation:

Note that any agentId can be used so the following is also valid:

Header

This part is critical and can be easily overlooked. You need to ensure that the header is set to the following:

In cURL, a header can be set using the -H flag. For example:

Gotcha:

In the introduction I mentioned the use of the .NET REST post. It appears this client always sends it own header (x-www-form-urlencoded) even if you explicitly set a header (application/json). This results in ingestion API requests failing 400 Bad Request. If you believe you have formatted the event properly for the ingestion API and you are still receiving errors, use packet analysis (e.g. Wireshark on Windows or tcpdump on Linux) to see if the wrong header is being passed.

Event(s)

The event(s) must be in the following JSON format:

Note:

If “timestamp” is not present, the server uses arrival time. If “fields”[].”content” is not present, then”startPosition” and “length” must be present and must point to a valid position in the “text” field string.

Gotcha:

Be sure to escape nested quotations! For example, in Windows the cURL command would look like the following:

Summary

The Log Insight ingestion API is simple and powerful way to ingest any unstructured data. The Log Insight Windows agent defaults to using the ingestion API to provide capabilities beyond those provided in the syslog protocol. You can use the ingestion API to remove the dependency on using a syslog agent and the syslog protocol for sending events to Log Insight.

© 2014 – 2015, Steve Flanders. All rights reserved.

Leave a Reply