Come join our live training webinar every other Wednesday at 11am PST and hear LogicMonitor experts explain best practices and answer common questions. We understand these are uncertain times, and we are here to help!
If a log integration isn’t available or you have custom logs that you want to analyze, you can send the logs directly to your LogicMonitor account via the logs ingestion API. The received events are mapped to resources in LogicMonitor before they are further processed or stored.
https://<account>.logicmonitor.com/rest/log/ingest
HTTPS:443
Authorization: <LMv1 token>
POST
application/json
gzip, deflate
For the logs ingestion endpoint, https://<account>.logicmonitor.com/rest/log/ingest:
https://<account>.logicmonitor.com/rest
/log/ingest
Where <account> is the company name or account name for your LogicMonitor portal.
<account>
Note: The base URL for the logs ingestion endpoint is /rest and not /santaba/rest, which is the URL for the LogicMonitor REST API.
/rest
/santaba/rest
All requests to the log ingestion API use LogicMonitor’s LMv1 API tokens for authentication. You can create the API tokens in your LogicMonitor account Settings under Users & Roles.
Every request must include an HTTP authorization header in the format:
Authorization: LMv1 AccessId:Signature:Timestamp
The Signature is a base64 and HMAC encoded hash based on your Access Key, a timestamp in epoch milliseconds, and the resource path of the endpoint:
Access Key,
signature = base64( HMAC-SHA256( Access Key, HTTP VERB + TIMESTAMP + POST DATA + RESOURCE PATH ) )
The log ingestion API expects an array of entries with the following constraints on the content size:
Sending a log message for an Amazon EC2 instance to the ingestion endpoint using curl:
curl --location \ --request POST 'https://<account>.logicmonitor.com/rest/log/ingest' \ --header 'Authorization: <LMv1 token>' \ --header 'Content-Type: application/json' \ --data-raw '[{ "msg": "Generating example log message 31687", "_lm.resourceId":{"<property>": "<value>"} }]'
The log ingestion endpoint expects an array of JSON objects as events. These events can have any JSON attribute, but the following tables highlight reserved attributes:
message | msg | Msg
timestamp | date | _timestamp | Timestamp | eventTime | published_date
int
string
_lm.resourceId: {<property>: <value>}
<property>
<value>
deviceId
_lm.resourceId: { system.deviceId: "<deviceId>" }
_lm.resourceId: { system.aws.arn: <arn> }
Note: Logs may have a severity associated with each event if it matches the criteria for an anomaly or matches an alert condition. This severity is not set during ingestion. See Log Alert Conditions.
The log ingestion API uses conventional HTTP response codes to indicate the success or failure of an API request.
202 - Accepted
207 - Multi-status
400 - Bad Request
401 - Unauthorized
402 - Payment Required
403 - Forbidden
413 - Payload Too Large
429 - Too Many Requests
500 - Server Error
502 - Bad Gateway
Header: X-Request-ID: 38b78dd6-3bc0-4cd9-8a15-6af552d49c3e Body: { "success": true, "message": "Accepted" }
Header: X-Request-ID: 38b78dd6-3bc0-4cd9-8a15-6af552d49c3e Body: { "success": false, "message": "Some events were not accepted. See the 'errors' property for additional information.", "errors": [ { "code": 4001, "error": "Resource not found", "event": { "_lm.resourceId": { "system.deviceId": "kish" }, "message": "test" } }, ] }
Custom error codes can be used to provide insights into what went wrong when log ingestion fails. If events do not meet the log ingestion constraints, such as failed mapping to LogicMonitor resource or field requirements, one of the following error message is returned:
4001 - Resource not found
4001 - More than one resource has been found
4003 - Insufficient information for device lookup
_lm.resourceId
4004 - Missing message field
4005 - Event too large
4006 - Event too old or future
Header: X-Request-ID: 38b78dd6-3bc0-4cd9-8a15-6af552d49c3e Body: { "success": false, "message": "Some events were not accepted. See the 'errors' property for additional information.", "errors": [ { "code": 4003, "error": "Insufficient information for device lookup", "event": { "message": "test" } }, { "code": 4004, "error": "Missing message field", "event": { "_lm.resourceId": { "system.deviceId": "kish" }, } } ] }
In This Article