You can use the messages/ingest service to send events to a Log Insight server using HTTP POST requests.

The messages/ingest service uses the following syntax.

http://loginsight_host:9000/api/v1/messages/ingest/agentId

POST

Note

The Log Insight Ingestion API has a limit of 100 KB per HTTP POST request.

Parameter

Type

Where to pass

Description

agentId

String

In URL

The UID of the sending agent

Events array

Array

In POST body

An array of events. Each event must have the following format.

{"messages":
 [{
    "text": optional, message text as a string, 
    "timestamp": optional, timestamp encoded as number of milliseconds since Unix epoch, 
    "fields": optional array of 
    [{
      "name": the name of the field,
      "content": optional, the content of the field,
      "startPosition": optional, the start position in the "text",
      "length": optional, the length of the string in the "text",
    },...]
  },...]
}
Note

If "timestamp" is not present, the server uses arrival time. If "fields"[]."content" is not present, then "startPosition" and "length" must be present and must point to a valid position in the "text" field string.

Name

Type

Description

HTTP 200 OK

400 Bad Request

503 Service Unavailable

500 Internal Server Error

Integer

Standard HTTP response codes

On success the service returns HTTP response code 200 and the following JSON string.

{
  "status":"ok"
}

POST http://loginsight:9000/api/v1/messages/ingest/4C4C4544-0037-5910-805A-C4C04F585831

Host: loginsight:9000
Connection: keep-alive
Content-Type: application/json
charset: utf-8
Content-Length: ??

{"messages": [{
               "fields": [
                {"name": "Channel", "content": "Security"},
                {"name": "EventID", "content": "4688"},
                {"name": "EventRecordID", "content": "33311266"},
                {"name": "Keywords", "content": "Audit Success"},
                {"name": "Level", "content": "Information"},
                {"name": "OpCode","content": "Info"},
                {"name": "ProcessID", "content": "4"},
                {"name": "ProviderName", "content": "Microsoft-Windows-Security-Auditing"},
                {"name": "Task", "content": "Process Creation"},
                {"name": "ThreadID", "content": "64"}
               ],
            "text": "A new process has been created.",
            "timestamp": 1396622879241
            }
           ]
}

HTTP/1.1 200 OK

{"status":"ok","message":"messages ingested","ingested":18}