Samples using API User Guide
1 Table of Contents 1 Table of Contents... 2 2 Python sample... 4 2.1 callapi.py file configuration...7 3 Bash sample... 9 4 JavaScript sample...11
This article describes 3 samples of using API in the following cases: 3
2 Python sample There are 4 mandatory parameters for this script: apikey apisecret datefrom dateto -k (- - apikey) : API Key of the domain (Administration Credentials API Key) -s (- - apisecret) : API secret of the domain (Administration Credentials API Secret) -f (- -datefrom) : query start date as "YYYY-MM-DD HH:MM:SS" -t (- -date to) : query end date as "YYYY-MM-DD HH:MM:SS" Apart from these, at least one of these parameters should also be included: query idsearch -q (- - query) : LINQ query -id (- - idsearch) : query ID (Query Info Get ID) This is an example of a query run on the web application: 4
And this is a request with Python script using the query (q):./callapi.py -k '2y0D9HPK128PpsHURcDr9Vz6xtAGeVYz' -s 'ytbgi7yw4dah52tmn9txdrjfftfphsey' -f '2016-03-15 00:00:00' -t '2016-03-15 12:00:00' -q 'from siem.logtrust.web.activity where method = "GET" select lu("cursoimagenio1", "nombrespruebas", "nombre", username) as Nombre group every 0 by Nombre, username, userid, domain' This is a request with Python script, with the query ID (id): 5
./callapi.py -k '2y0D9HPK128PpsHURcDr9Vz6xtAGeVYz' -s 'ytbgi7yw4dah52tmn9txdrjfftfphsey' -f '2016-03-15 00:00:00 -t '2016-03-15 12:00:00' -id '69242b69-fe79-4542-beac-de0718a13774'...and the corresponding answer: { "status": 0, "msg": "valid request", "object": [{ "username": "rmoya@logtrust.com 1 ", "Nombre": "Ricardo", "domain": "cursoimagenio1", "userid": "c722465f-28eb-4d70-b282-0c238f195ce1" }, {...}, {...} ], "success": true} 1 http://logtrust.com 6
2.1 callapi.py file configuration #!/usr/bin/env python # -*- coding: utf8 # # Example of how to query logtrust search API: #./callapi.py -k "apikey" -s "apisecret" -f "2016-01-01 00:00:00" -t "2016-01-02 00:00:00" -q "query" # import hmac import hashlib import datetime import time import urllib import httplib2 import json import argparse import sys import re # Parameters parser = argparse.argumentparser() parser.add_argument("-k", "--apikey", required=true, help="administración > Credenciales > Api Key") parser.add_argument("-s", "--apisecret", required=true, help="administración > Credenciales > Api Secret") parser.add_argument("-f", "--datefrom", required=true, help="must have the following format YYYY-MM-DD HH:MM:SS") parser.add_argument("-t", "--dateto", required=true, help="must have the following format YYYY-MM-DD HH:MM:SS") parser.add_argument("-q", "--query", required=false, help="from my.app.nivel1.nivel2 select *") parser.add_argument("-id", "--idsearch", required=false, help="query Info > Get Id") args = parser.parse_args() DATEREGEX = '^\d{4}-\d{2}-\d{2} \d{2}:\d{2}:\d{2}$' URL = 'https://api.logtrust.com/lt-api/storedsearchaction.json' API_KEY = args.apikey API_SECRET = args.apisecret # Query or idsearch if not args.idsearch and not args.query: print 'ERROR: BOTH PARAMETERS ARE MISSING' sys.exit() elif args.idsearch and args.query: print 'ERROR: BOTH PARAMETERS ARE PRESENT' sys.exit() elif args.idsearch and not args.query: ID_SEARCH = args.idsearch QUERY = None else: 7
ID_SEARCH = None QUERY = args.query # Date patter = re.compile(dateregex) if patter.match(args.datefrom): date = datetime.datetime.strptime(args.datefrom, "%Y-%m-%d %H:%M:%S") DATE_FROM = str(int(time.mktime(date.timetuple()) * 1000)) else: print "ERROR: THE START DATE (datefrom) MUST HAVE THE FOLLOWING FORMAT YYYY-MM-DD HH:MM:SS" sys.exit() if patter.match(args.dateto): date = datetime.datetime.strptime(args.dateto, "%Y-%m-%d %H:%M:%S") DATE_TO = str(int(time.mktime(date.timetuple()) * 1000)) else: print "ERROR: THE END DATE (dateto) MUST HAVE THE FOLLOWING FORMAT YYYY-MM-DD HH:MM:SS" sys.exit() # Timestamp TSTAMP = str(int(time.mktime(datetime.datetime.now().timetuple()) * 1000)) # Message if ID_SEARCH is None: MSG = API_KEY + DATE_FROM + DATE_TO + QUERY + TSTAMP elif QUERY is None: MSG = API_KEY + DATE_FROM + DATE_TO + ID_SEARCH + TSTAMP # Signature sign = hmac.new(api_secret, MSG, hashlib.sha256) # Request req = httplib2.http() if ID_SEARCH is None: params = dict(apikey=api_key, query=query, datefrom=date_from, dateto=date_to, timestamp=tstamp, sign=sign.hexdigest()) elif QUERY is None: params = dict(apikey=api_key, idsearch=id_search, datefrom=date_from, dateto=date_to, timestamp=tstamp, sign=sign.hexdigest()) headers = {'content-type': 'application/x-www-form-urlencoded'} resp, jsoncontent = req.request(url, "POST", urllib.urlencode(params), headers) content = json.dumps(json.loads(jsoncontent)) print content 8
3 Bash sample See below a Bash sample using API. 9
#!/bin/bash #Fix attributes URL = 'https://api.logtrust.com/lt-api/storedsearchaction.streamjson' CONTENT_TYPE='Content-Type:application/x-www-form-urlencoded; charset=utf-8' #Domain Api Key and Secret apikey='xfrtw05vsag26nbtpar49ucyf54xxqhñ' apisecret='abq30qipc0g7gtda8trs7t53wxzelcv6' #Query or idquery #example query='from my.app.test.test group every 30m every 0 select count() as count' #queryid =idquery #Period to Query datefrom=`date -d "2017-03-29 00:00:00.000" +%s000` dateto=`date -d "2017-03-30 00:00:00.000" +%s000` #Current Timestamp timestamp=`date +%s000` #Sign the REST call _stringsign="$apikey$datefrom$dateto$query$timestamp" sign=`echo $_stringsign tr -d '\n' openssl dgst -sha256 -hmac "$apisecret"` sign=`echo $sign awk -F '= ' '{print $2}'` #Data to send with Post petition data="apikey=$apikey&datefrom=$datefrom&dateto=$dateto&query=$query&ti mestamp=$timestamp&sign=$sign" #Data to send with Post petition with QueryId #data="apikey=$apikey&datefrom=$datefrom&dateto=$dateto&query=$queryid ×tamp=$timestamp&sign=$sign" #HTTP Request curl -H "$CONTENT TYPE" -d "$data" "$URL" 10
4 JavaScript sample See below a JavaScript sampe using API: http://logtrust-static.s3.amazonaws.com/downloads/signaturechecker.html 11