LogpointApi (logpoint_api v2.2.0)

Elixir library for interacting with the Logpoint API.

Build a client, then pass it to any domain module.

Setup

client = LogpointApi.client("https://logpoint.company.com", "admin", "secret")

Search

query = LogpointApi.search_params("user=*", "Last 24 hours", 100, ["127.0.0.1"])

# Block until final results (polls automatically)
{:ok, result} = LogpointApi.run_search(client, query)

# Low-level primitives are still available
alias LogpointApi.Core.Search

{:ok, %{"search_id" => id}} = Search.get_id(client, query)
{:ok, result}               = Search.get_result(client, id)
{:ok, prefs}                = Search.user_preference(client)
{:ok, repos}                = Search.logpoint_repos(client)

Incidents

alias LogpointApi.Core.Incident

{:ok, incidents} = Incident.list(client, start_time, end_time)
{:ok, states}    = Incident.list_states(client, start_time, end_time)
{:ok, _}         = Incident.resolve(client, ["id1"])
{:ok, _}         = Incident.close(client, ["id2"])
{:ok, _}         = Incident.reopen(client, ["id3"])
{:ok, _}         = Incident.assign(client, ["id1"], "user_id")
{:ok, _}         = Incident.add_comments(client, [LogpointApi.comment("id1", "note")])
{:ok, users}     = Incident.get_users(client)

Alert Rules

alias LogpointApi.Data.Rule
alias LogpointApi.Core.AlertRule

{:ok, rules} = AlertRule.list(client)
{:ok, rule}  = AlertRule.get(client, "rule-id")
{:ok, _}     = AlertRule.activate(client, ["id1", "id2"])
{:ok, _}     = AlertRule.deactivate(client, ["id1"])
{:ok, _}     = AlertRule.delete(client, ["id1"])

# Builder-style alert rule creation
rule =
  LogpointApi.rule("Brute Force Detection")
  |> Rule.description("Detects brute force login attempts")
  |> Rule.query("error_code=4625")
  |> Rule.time_range(1, :day)
  |> Rule.repos(["10.0.0.1"])
  |> Rule.limit(100)
  |> Rule.threshold(:greaterthan, 5)
  |> Rule.risk_level("high")
  |> Rule.aggregation_type("max")
  |> Rule.assignee("admin")

{:ok, _} = AlertRule.create(client, rule)

# Email notification
alias LogpointApi.Data.EmailNotification

notif =
  LogpointApi.email_notification(["rule-1"], "admin@example.com")
  |> EmailNotification.subject("Alert: {{ rule_name }}")
  |> EmailNotification.template("<p>Details</p>")

{:ok, _} = AlertRule.create_email_notification(client, notif)

# HTTP notification
alias LogpointApi.Data.HttpNotification

webhook =
  LogpointApi.http_notification(["rule-1"], "https://hooks.slack.com/abc", :post)
  |> HttpNotification.body(~s({"text": "{{ rule_name }}"}))
  |> HttpNotification.bearer_auth("my-token")

{:ok, _} = AlertRule.create_http_notification(client, webhook)

Logpoint Repos & User-Defined Lists

alias LogpointApi.Core.LogpointRepo
alias LogpointApi.Core.UserDefinedList

{:ok, repos} = LogpointRepo.list(client)
{:ok, lists} = UserDefinedList.list(client)

SSL

client = LogpointApi.client("https://192.168.1.100", "admin", "secret", ssl_verify: false)

Summary

Functions

client(base_url, username, secret_key, opts \\ [])

Create a client for the Logpoint API.

comment(incident_id, comments)

Build an incident comment.

email_notification(ids, emails)

Build an email notification for alert rules.

http_notification(ids, url, request_type)

Build an HTTP notification for alert rules.

rule(name)

Build an alert rule.

run_search(client, query, opts \\ [])

Run a search and block until final results arrive.

search_params(query, time_range, limit, repos)

Build a search query.

search_params(query, start_time, end_time, limit, repos)

Build a search query with explicit start and end times.