Logentries Docs

Find comprehensive guides and documentation to help you start and continue to work with Logentries.

    

Search results for "{{ search.query }}"

No results found for "{{search.query}}". 
View All Results

Webhook Alerts

Unlike email or phone notifications, webhooks are ideal for automated reactions on triggered alerts. The Webhook alert is sent as a HTTP POST command with a JSON-encoded parameter payload. The content type of the message is encoded in application/x-www-form-urlencoded.

Payload

The payload contains information about the alert triggered, host and log where the alert has been triggered together with the triggering event and event context. The payload has the following structure:

{
    "alert": {
        "name": "500 error" // Alert name
    },
    "host": {
        "name": "Web", // Host name
        "hostname": "web.example.com" // Host DNS name
    },
    "log": {
        "name": "access.log" // Log name
    },
    "event": Event, // Trigerring event
    "context": [ // Events in context
        {
            "t": 1346202355889, // Timestamp
            "s": 40634540484, // Sequence
            "m": "[26/Aug/2012:10:58:50 +0100] POST /api..." // Message
        }
    ]
}

Simple Testing

You can use publicly available POST bins such as RequestBin. Create a new bin and add the URL generated as target PORT URL. Make sure you do not reach the alert limitation (per hour and per day). It is a common pitfall

Authentication

In order to authorize the Webhook, specify a username and password in the webhook URL, for example http://user:password@example.com/webhook. The password is a shared secret which is used for authentication. The username is sent in plain text as a part of the Authorization header. All HTTP POSTs are authorized using the HMAC. The HMAC hash is stored in the Authorizationheader as displayed in the following example (important header fields are highlighted):

POST /webhook HTTP/1.1
User-Agent: Logentries/1.2
Host: example.com
Date: Mon, 28 Jan 2013 22:01:58 GMT
Content-Type: application/x-www-form-urlencoded
Content-Md5: A4O7taYfMqO/3vugWHFriA==
Content-Length: 1632
Connection: keep-alive
X-Le-Nonce: nfblZ9aBldYSHT64Kw2bbVwt
X-Le-Account: f1cac763
Authorization: LE user:qc2s3YmnX42K1Nvtxw/p1Br1ehI=
Accept-Encoding: identity

payload=...

The hash function is calculated from a canonical string. The canonical string is a concatenation of the method type (POST), content type, MD5 hash of the message content, the Date header, path, and nonce stored in the X-Le-Nonce header. Assuming header fields are stored in the HEADERS dictionary, path contains the path section of the request, and PASSWORD contains the shared secret code, the HMAC calculation can be implemented in the following way:

# Import standard Python libraries
import hashlib, base64, hmac

# Calculate MD5 hash of the content
content_md5 = base64.b64encode( hashlib.md5( content).digest())

# Construct canonical string from header fields and content hash
canonical = '\n'.join([
    'POST',
    HEADERS[ 'Content-Type'],
    content_md5,
    HEADERS[ 'Date'],
    path,
    HEADERS[ 'X-Le-Nonce'] ])

# Calculate HMAC hash and encode it in base 64
# PASSWORD contains a shared secret code
signature = base64.b64encode( hmac.new( PASSWORD, canonical, hashlib.sha1).digest()) In Ruby:
# Import standard Ruby libraries
require 'openssl'
require 'base64'
require 'digest/md5'

# Calculate MD5 hash of the content
content_md5 = Base64.encode64( Digest::MD5.digest( content)).strip

# Construct canonical string from header fields and content hash
canonical = [ 
    "POST",
    headers[ "Content-Type"],
    content_md5,
    headers[ "Date"],
    path,
    headers[ "X-Le-Nonce"],
].join("\n")

# Calculate HMAC hash and encode it in base 64
# PASSWORD contains a shared secret code
dg = OpenSSL::Digest::Digest.new( 'sha1')
signature = Base64.encode64( OpenSSL::HMAC.digest( dg, PASSWORD, canonical)).strip

In PHP:

$path = $_SERVER[ 'REQUEST_URI']; # Platform-dependent

# Calculate MD5 hash of the content
$content_md5 = base64_encode( md5( $content, TRUE));

# Construct canonical string from header fields and content hash
$canonical = join( "\n", array(
        'POST',
        $headers[ 'Content-Type'],
        $content_md5,
        $headers[ 'Date'],
        $path,
        $headers[ 'X-Le-Nonce']
));

# Calculate HMAC hash and encode it in base 64
# PASSWORD contains a shared secret code
$signature = base64_encode( hash_hmac( 'sha1', $canonical, $PASSWORD, TRUE));

Apart from username and the signature, make sure that the timestamp is reasonably recent and that nonce hasn’t been sent yet (to avoid reply attacks).

Webhook Alerts