You can use the events/ingest service to send events to a vRealize Log Insight server using HTTP POST requests.

The events/ingest service uses the following syntax.

Protocol

Value

HTTP

http://loginsight_host:9000/api/v1/events/ingest/agentId

HTTPS

https://loginsight_host:9543/api/v1/events/ingest/agentId

HTTP Method

POST

Note:

The vRealize Log Insight Ingestion API has a limit of 4 MB per HTTP POST request. The maximum size of a single text field is 16 KB.

Parameters

Parameter

Type

Where to pass

Description

agentId

String

In URL

The ID of the sending agent should follow the UUID standard. The agent may be an official vRealize Log Insight Windows or Linux agent or any client leveraging the Ingestion API.

Content-Type: application/json

String

In POST body

The Content-Type parameter specifies the nature of the data in the POST body.

Events array

Array

In POST body

An array of events. Each event must have the following format.

{"events":
 [{
    "text": optional, message text as a string, 
    "timestamp": optional, timestamp encoded as number of milliseconds since Unix epoch in UTC, 
    "fields": optional array of 
    [{
      "name": the name of the field,
      "content": optional, the content of the field,
      "startPosition": optional, the start position in the "text",
      "length": optional, the length of the string in the "text",
    },...]
  },...]
}
Note:

The vRealize Log Insight server compares the "timestamp" you provide with the local time on the vRealize Log Insight server. If you provide a "timestamp" outside of the default 10 minutes tolerated drift window, the vRealize Log Insight server ignores your "timestamp" and uses its local time. If "timestamp" is not present, vRealize Log Insight uses arrival time.

Note:

If the "content" of a field is not present, then "startPosition" and "length" must be present and must point to a valid position in the "text" field string.

Return HTTP Values

Name

Type

Description

200 OK

Integer

Standard HTTP response codes

400 Bad Request

500 Internal Server Error

503 Service Unavailable

This response indicates that the server is overloaded. The Retry-After response header provides the suggested retry time in seconds.

Example Request

POST http://loginsight:9000/api/v1/events/ingest/4C4C4544-0037-5910-805A-C4C04F585831

Host: loginsight:9000
Connection: keep-alive
Content-Type: application/json
charset: utf-8
Content-Length: ??

{"events": [{
               "fields": [
                {"name": "Channel", "content": "Security"},
                {"name": "EventID", "content": "4688"},
                {"name": "EventRecordID", "content": "33311266"},
                {"name": "Keywords", "content": "Audit Success"},
                {"name": "Level", "content": "Information"},
                {"name": "OpCode","content": "Info"},
                {"name": "ProcessID", "content": "4"},
                {"name": "ProviderName", "content": "Microsoft-Windows-Security-Auditing"},
                {"name": "Task", "content": "Process Creation"},
                {"name": "ThreadID", "content": "64"}
               ],
            "text": "A new process has been created.",
            "timestamp": 1396622879241
            }
           ]
}

Example Response

HTTP/1.1 200 OK

{"status":"ok","message":"events ingested","ingested":18}