Ingesting Raw Data

This endpoint should be used, when you are not in control of the request body, such as in the case of calling LogScale via a callback from another system.

http

POST /api/v1/ingest/raw

The body of the HTTP request will be interpreted as a single event, and parsed using the parser attached to the accompanying ingest token. Unless the parser created generates a @timestamp field, the @timestamp of the resulting event will equal @ingesttimestamp.

Note

This endpoint is not suited for ingesting a large number of events, and its usage should be restricted to relatively infrequent calls.

Response

Standard HTTP response codes

Example

When ingesting raw data, you can choose to authenticate by attaching your ingest token to the header:

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw \
    -H "Authorization: Bearer $INGEST_TOKEN" \
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw \
    -H "Authorization: Bearer $INGEST_TOKEN" \
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw ^
    -H "Authorization: Bearer $INGEST_TOKEN" ^
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'

Windows Powershell and curl

powershell

curl.exe -X POST 
    -H "Authorization: Bearer $INGEST_TOKEN"
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'
"$YOUR_LOGSCALE_URL/api/v1/ingest/raw"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/api/v1/ingest/raw';

my $json = 'My raw Message generated at "2016-06-06T12:00:00+02:00"';
my $req = HTTP::Request->new("POST", $uri );

$req->header("Authorization" => "Bearer $INGEST_TOKEN");

$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/api/v1/ingest/raw'
mydata = r'''My raw Message generated at "2016-06-06T12:00:00+02:00"'''

resp = requests.post(url,
                     data = mydata,
                     headers = {
   "Authorization" : "Bearer $INGEST_TOKEN"
}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    My raw Message generated at "2016-06-06T12:00:00+02:00"
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/api/v1/ingest/raw',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Mac OS or Linux (curl)

shell

curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN \
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'

Mac OS or Linux (curl) One-line

shell

curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN \
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'

Windows Cmd and curl

shell

curl -v -X POST $YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN ^
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'

Windows Powershell and curl

powershell

curl.exe -X POST 
    -d 'My raw Message generated at "2016-06-06T12:00:00+02:00"'
"$YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN"

Perl

perl

#!/usr/bin/perl

use HTTP::Request;
use LWP;

my $INGEST_TOKEN = "TOKEN";

my $uri = '$YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN';

my $json = 'My raw Message generated at "2016-06-06T12:00:00+02:00"';
my $req = HTTP::Request->new("POST", $uri );



$req->content( $json );

my $lwp = LWP::UserAgent->new;

my $result = $lwp->request( $req );

print $result->{"_content"},"\n";

Python

python

#! /usr/local/bin/python3

import requests

url = '$YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN'
mydata = r'''My raw Message generated at "2016-06-06T12:00:00+02:00"'''

resp = requests.post(url,
                     data = mydata,
                     headers = {}
)

print(resp.text)

Node.js

javascript

const https = require('https');

const data = JSON.stringify(
    My raw Message generated at "2016-06-06T12:00:00+02:00"
);


const options = {
  hostname: '$YOUR_LOGSCALE_URL/api/v1/ingest/raw/$INGEST_TOKEN',
  path: '/graphql',
  port: 443,
  method: 'POST',
  headers: {
    'Content-Type': 'application/json',
    'Content-Length': data.length,
    Authorization: 'BEARER ' + process.env.TOKEN,
    'User-Agent': 'Node',
  },
};

const req = https.request(options, (res) => {
  let data = '';
  console.log(`statusCode: ${res.statusCode}`);

  res.on('data', (d) => {
    data += d;
  });
  res.on('end', () => {
    console.log(JSON.parse(data).data);
  });
});

req.on('error', (error) => {
  console.error(error);
});

req.write(data);
req.end();

Important

When passing the ingest token as part of the URL, the token should not be considered as secret, as it may be logged in LogScale or in any proxy servers which process the request. Thus, CrowdStrike strongly recommends that you authenticate through the request header if possible.

APIs

Action API

Alert API

API Authentication

Cluster Management API

Health Check API

Ingest API

Lookup API

Redact Events API

Search API

Software Libraries