LogRhythm supports an optional programmatic interface to maintain the integrity of shared information distributed between LogRhythm and other external data sources. This includes the ability to automate the exchange and synchronize configuration data to enhance administrative functions, as well as extend monitoring and analysis functions.

The LogRhythm SOAP API allows you to build or integrate your own applications that extend the LogRhythm solution. Possible uses of the API include:

  • Synchronizing hosts with external systems
  • Automating list management for use within investigations or reports
  • Building a custom application which displays user alarms and associated logs

The SOAP API settings can be modified in the Configuration Manager.

Technology

The LogRhythm Web Services are intended to provide interoperability with multiple development languages and platforms. The APIs exchange data using XML over HTTP using the SOAP protocol. The services conform to the Web Services Interoperability (WS-I) Basic Profile 1.1 standard. The services provide a Web Service Definition Language (WSDL) descriptor which can be used to generate proxy classes in .NET, Java or other languages. The services are implemented using the Microsoft .NET Windows Communication Foundation (WCF) platform and are hosted in the Microsoft Internet Information Systems (IIS) web server.

Security

The LogRhythm SOAP API uses a number of standard protocols to ensure the security and integrity of solutions build using the API.

  • The API requires TLS / HTTPS encryption to secure the contents of messages being exchanged. Upon installation, this encryption uses a self-signed certificate but the installation instructions describe how to use your own PKI trusted certificate for added security.
  • The API requires either basic user name / password authentication or Windows authentication. Different URLs are provided which are configured for each type of authentication. Windows authentication requires extra Kerberos configuration. For setup information, see the LogRhythm SOAP API Windows Authentication Setup guide.
  • LogRhythm users must be authorized to use the LogRhythm SOAP API in the LogRhythm Client Console. API access is off by default and can be enabled for existing users or new service accounts. To enable access for existing users, modify the associated user profile or associate the user with a new user profile which has API access enabled. To create a dedicated service account, create a new person and user associated with a user profile which has API access enabled.
  • The Application Pool is setup with an account to the LogRhythm database for mediating connections.
  • In the case of a mixed windows and SQL authentication system, two accounts need to be defined to manage global shared caching.
  • Alarms, Log Sources and Lists will be restricted via the API just like they are within the LogRhythm Client Console.
  • The SOAP API Service Administrator security role provides unrestricted data access just like the Global Administrator has, but direct database access is restricted to only what is required by the LogRhythm SOAP API.

Deployment

The LogRhythm SOAP API is hosted within Microsoft Internet Information Services (IIS) on a separate server. Installing the API on a LogRhythm appliance is not recommended nor supported because it may interfere with the function or performance of other LogRhythm services.

The API accesses SQL Server databases on the appliances in your environment so TCP Port 1433 must be open between these systems. For information about how to install and configure the LogRhythm SOAP API, see the SOAP API Installation Guide.

Call Web Services

Call Web Services from Visual Studio

  1. Ensure the web server certificate is trusted from your development system.
  2. Create a new Visual Studio project for your application.
  3. Add a Service Reference to the project. Specify one of the service URLs listed above.
  4. Create a service client proxy class.
  5. For basic authentication, set the user name and password (ClientCredentials.UserName.UserName and ClientCredentials.UserName.Password).
  6. Call a service method.

Call Web Services from Java

To consume SOAP services from Java, you’ll need a third-party toolkit such as GlassFish Metro or Apache SOAP.

If you are using the self-signed certificate, it must be imported into the Java Keystore.

Call Web Services from Python

To consume SOAP services from Python, you need a third-party toolkit such as Suds.

Development

The following table lists the URLs to request the WSDL for each service. Web Service Description Language (WSDL) is a SOAP XML description of the services and their parameters. Many development tools can create proxy classes from the WSDL which make calling the service easier. For more information about each of these services, see the SOAP API Reference Guide (LogRhythm 7.x.x).