Skip to content

Formatting options

To forward logs to Sekoia.io, several formatting options are available:

  • Send your events as line-oriented records
  • Send your events as a JSON object
  • Send your events as a structured payload

For each option, we have to supply an intake key. The collector endpoint of Sekoia.io will provide event identifiers within the Sekoia.io detection workflow in the form of a JSON payload.

Select the intake endpoint for your region

Sekoia.io supports multiple regions for HTTP ingestion.

FRA1 keeps the historical URL scheme, while all other regions use the new API-prefixed scheme.

Tip

Learn more about region and code in our dedicated article.

Endpoints must be built from regional base URLs:

  • FRA1 base URL: https://intake.sekoia.io
  • Other regions base URL: https://intake.<region>.sekoia.io/api/v1/intake-http

Then append the path /<path> (e.g., /plain, /plain/batch, /jsons, /batch, /array, etc.) to the corresponding regional base URL.

Examples:

  • https://intake.sekoia.io/batch
  • https://intake.fra2.sekoia.io/api/v1/intake-http/batch
  • https://intake.mco1.sekoia.io/api/v1/intake-http/jsons
  • https://intake.uae1.sekoia.io/api/v1/intake-http/plain/batch

Warning

The examples below use FRA1 URLs for readability. For other regions, replace the base URL with your regional endpoint.

Push our events to Sekoia.io as line-oriented records

To forward events as plain records, you can use the /plain endpoint.

The following headers are handled by Sekoia.io's HTTPS log collector:

Header Mandatory? Type Description
X-SEKOIAIO-INTAKE-KEY No String Intake to which you would like to push events to
X-SEKOIAIO-EVENT-TIMESTAMP No Datetime Event date if you want to push your own date (fallback is to use the reception’s date)

Supply the intake key as the header X-SEKOIAIO-INTAKE-KEY, as password in the HTTP Basic authentication mechanism, or as a parameter in the query string.

To push one event, just POST content to https://intake.sekoia.io/plain

import requests

headers = {"X-SEKOIAIO-INTAKE-KEY": "YOUR_INTAKE_KEY"}
content = "[764008:0] info: 198.51.100.10 example.org. A IN"
response = requests.post("https://intake.sekoia.io/plain", data=content, headers=headers)
print(response.text) # (1)
  1. Will print {"event_id": "uuid"}
import requests

auth = request.auth.HTTPBasicAuth(None, "YOUR_INTAKE_KEY")
content = "[764008:0] info: 198.51.100.10 example.org. A IN"
response = requests.post("https://intake.sekoia.io/plain", data=content, auth=auth)
print(response.text) # (1)
  1. Will print {"event_id": "uuid"}
import requests

params = {"intake_key": "YOUR_INTAKE_KEY"}
content = "[764008:0] info: 198.51.100.10 example.org. A IN"
response = requests.post("https://intake.sekoia.io/plain", data=content, params=params)
print(response.text) # (1)
  1. Will print {"event_id": "uuid"}

For numerous events, you can use the alternative endpoint /plain/batch. The events should be separated by the line feed character (U+000A or \n):

import requests

headers = {"X-SEKOIAIO-INTAKE-KEY": "YOUR_INTAKE_KEY"}
events = ["[764008:0] info: 198.51.100.10 example.org. A IN", "[764023:0] info: 2.34.100.56 text.org. A IN"]
content = "\n".join(events)
response = requests.post("https://intake.sekoia.io/plain/batch", data=content, headers=headers)
print(response.text) # (1)
  1. Will print {"event_ids": ["uuid1", "uuid2"]}
import requests

auth = request.auth.HTTPBasicAuth(None, "YOUR_INTAKE_KEY")
events = ["[764008:0] info: 198.51.100.10 example.org. A IN", "[764023:0] info: 2.34.100.56 text.org. A IN"]
content = "\n".join(events)
response = requests.post("https://intake.sekoia.io/plain/batch", data=content, auth=auth)
print(response.text) # (1)
  1. Will print {"event_ids": ["uuid1", "uuid2"]}
import requests

params = {"intake_key": "YOUR_INTAKE_KEY"}
events = ["[764008:0] info: 198.51.100.10 example.org. A IN", "[764023:0] info: 2.34.100.56 text.org. A IN"]
content = "\n".join(events)
response = requests.post("https://intake.sekoia.io/plain/batch", data=content, params=params)
print(response.text) # (1)
  1. Will print {"event_ids": ["uuid1", "uuid2"]}

You can find an example script for sending logs from files in batches here

You can also upload multiple events contained in a single file, with one event per line:

curl -X POST -H "X-SEKOIAIO-INTAKE-KEY: REPLACE_BY_INTAKE_KEY" --data-binary @events.txt https://intake.sekoia.io/plain/batch

Push our events to Sekoia.io as JSON object

As JSON List

To send us events as a JSON list, you should set Content-Type HTTP header to application/json.

The following headers are handled by Sekoia.io's HTTPS log collector:

Header Mandatory? Type Description
X-SEKOIAIO-INTAKE-KEY No String Intake to which you would like to push events to
X-SEKOIAIO-EVENT-TIMESTAMP No Datetime Event date if you want to push your own date (fallback is to use the reception’s date)

Supply the intake key as the header X-SEKOIAIO-INTAKE-KEY, as password in the HTTP Basic authentication mechanism, or as a parameter in the query string.

Use the endpoint /jsons. This endpoint accepts a set of events:

import requests

headers = {"X-SEKOIAIO-INTAKE-KEY": "YOUR_INTAKE_KEY"}
events = ["[764008:0] info: 198.51.100.10 example.org. A IN", "[764023:0] info: 2.34.100.56 text.org. A IN"]
response = requests.post("https://intake.sekoia.io/jsons", json=events, headers=headers)
print(response.text) # (1)
  1. Will print {"event_ids": ["uuid1", "uuid2"]}
import requests

auth = request.auth.HTTPBasicAuth(None, "YOUR_INTAKE_KEY")
events = ["[764008:0] info: 198.51.100.10 example.org. A IN", "[764023:0] info: 2.34.100.56 text.org. A IN"]
response = requests.post("https://intake.sekoia.io/jsons", json=events, auth=auth)
print(response.text) # (1)
  1. Will print {"event_ids": ["uuid1", "uuid2"]}
import requests

params = {"intake_key": "YOUR_INTAKE_KEY"}
events = ["[764008:0] info: 198.51.100.10 example.org. A IN", "[764023:0] info: 2.34.100.56 text.org. A IN"]
response = requests.post("https://intake.sekoia.io/jsons", json=events, params=params)
print(response.text) # (1)
  1. Will print {"event_ids": ["uuid1", "uuid2"]}

Enclosed in a JSON object

If your events are enclosed in a JSON object, use the endpoint /jsons and provide the path to the property where our events are located. 

import requests

headers = {"X-SEKOIAIO-INTAKE-KEY": "YOUR_INTAKE_KEY"}
events = ["[764008:0] info: 198.51.100.10 example.org. A IN", "[764023:0] info: 2.34.100.56 text.org. A IN"]
content = {"path": {"to": {"events": events}}}
response = requests.post("https://intake.sekoia.io/jsons?path=$.path.to.events", json=content, headers=headers)
print(response.text) # (1)
  1. Will print {"event_ids": ["uuid1", "uuid2"]}
import requests

auth = request.auth.HTTPBasicAuth(None, "YOUR_INTAKE_KEY")
events = ["[764008:0] info: 198.51.100.10 example.org. A IN", "[764023:0] info: 2.34.100.56 text.org. A IN"]
content = {"path": {"to": {"events": events}}}
response = requests.post("https://intake.sekoia.io/jsons?path=$.path.to.events", json=content, auth=auth)
print(response.text) # (1)
  1. Will print {"event_ids": ["uuid1", "uuid2"]}
import requests

params = {"intake_key": "YOUR_INTAKE_KEY"}
events = ["[764008:0] info: 198.51.100.10 example.org. A IN", "[764023:0] info: 2.34.100.56 text.org. A IN"]
content = {"path": {"to": {"events": events}}}
response = requests.post("https://intake.sekoia.io/jsons?path=$.path.to.events", json=content, params=params)
print(response.text) # (1)
  1. Will print {"event_ids": ["uuid1", "uuid2"]}

Push our events to Sekoia.io as structured content

To send us events, you should set Content-Type HTTP header to application/json.

The following fields are currently handled by Sekoia.io's HTTPS log collector:

Field Mandatory? Type Description
intake_key Yes String Intake to which you would like to push events to
json Yes String The actual log payload. If you want to push structured JSON logs, please send them as quoted JSON here
@timestamp No Datetime Event date if you want to push your own date (fallback is to use the reception’s date)

To push text events, one can just POST content to https://intake.sekoia.io:

import requests

content = {"intake_key": "YOUR_INTAKE_KEY", "json": "[764008:0] info: 198.51.100.10 example.org. A IN"}
response = requests.post("https://intake.sekoia.io", json=content)
print(response.text) # (1)
  1. Will print {"event_id": "uuid"}

To push structured data to Sekoia.io, you can push your payload as quoted JSON in the POSTed payload:

import requests
import json

structured_log = {"key": "value"}
content = {"intake_key": "YOUR_INTAKE_KEY", "json": json.dumps(structured_log)}
response = requests.post("https://intake.sekoia.io", json=content)
print(response.text) # (1)
  1. Will print {"event_id": "uuid"}

For numerous events, you can use the alternative endpoint /batch. This endpoint accepts a set of events:

import requests

content = {"intake_key": "YOUR_INTAKE_KEY", "jsons": ["[764008:0] info: 198.51.100.10 example.org. A IN", "[764023:0] info: 2.34.100.56 text.org. A IN"]}
response = requests.post("https://intake.sekoia.io/batch", json=content)
print(response.text) # (1)
  1. Will print {"event_ids": ["uuid1", "uuid2"]}

Or, you can use the endpoint /array:

import requests

events = [
    {
        "timestamp": "2021-04-05T21:33:31+02:00", # (1)
        "intake_key": "YOUR_INTAKE_KEY",
        "json": "[764008:0] info: 198.51.100.10 example.org. A IN",
    },
    {
        "intake_key": "ANOTHER_INTAKE_KEY",
        "json": "[764023:0] info: 2.34.100.56 text.org. A IN",
    },
]
response = requests.post("https://intake.sekoia.io/array", json=events)
print(response.text) # (2)
  1. Optional.
  2. Will print {"event_ids":["ba2098cc-5fcf-4ad1-8d1d-af55750220ec","921b214c-fb89-4e27-a1fd-266f1837ea31"]}