layout | title | nav_order | permalink | description |
---|---|---|---|---|
template |
Api |
8 |
/panther/api |
Panther HTTP event API |
The API Console is a straightforward way to begin using the Panther API to submit event logs over HTTP.
The purpose of the page is to allow the supported API fields to be manually input and then automatically formatted into the JSON structure required by Panther. The result may then either be submitted to the application from the page or copied into another utility, such as curl - for which an example input is generated at the bottom of the page.
To prepare a new event definition for transmission to Panther, fill in
the input fields in the top section of the Event API
box.
For security, the API requires a valid API key in order to accept event data. These can be generated by users in the administration group from the admin page.
The API key input field is a drop-down list that contains the currently available keys.
The node is the host name that will be applied to the event log.
The tag is a name used as meta-data to identify and distinguish between different applications on the same host, or any other similar purpose.
The summary contains the message body of the event log. It describes the event that took place, and will give detailed information such as the error message or any diagnostics. It can also contain specific pieces of data about the event, such as the number of retries a failed login attempt was made.
The severity indicates how important the event log is, and can range from 0 (clear) to 5 (emergency).
Once the event fields have been filled in, the event can be sent to
Panther by clicking on the Send
button. The response will be
displayed in the Response Body
box at the bottom of the page.
Alternatively, events can be sent using a different application by
submitting the message displayed in the Request Body
box as POST
data to the address displayed in the URL
box. One common method
would be to use the example curl command line
shown in the Curl
box.
This example of sending an event log using the GUI on the API page
will also show how the example group rule
works to put a log containing FAILED su
in its summary into the
Operating System
group.
-
Select an API key from the drop-down box.
-
To create an event that will handled by the
Operating System
group, theTag
for the event must beos
and theSummary
must include the stringFAILED su for
. TheNode
can be any string value, and the severity level can be any value from 0 to 5, because a new value will be set by the group rule.Notice that the contents of the
Request Body
andCurl
sections change as the input fields are set. -
Once fields have been set, click the
Send
button. TheResponse Body
section will update with the reply from Panther, indicating whether the request was successful or if there was a problem. -
If all went well, the new entry should be in the console along with all the other event logs.
If the the custom group rule has been applied, the group will be set
to Operating System
and the severity will be set to 3
- which is
also shown by the entry being displayed in yellow.