The create command provisions a new SIEM Collector service.

JSON Input Data Format
{
    "name": string,
    "sourcetype": string,
    "source": string,
    "logtype": string,
    "logname": string,
    "parser": string,
    "filter": string
}
name * Specifies the name for the Collector, which can be any name.
sourcetype * Indicates the source type, which can be one of the following:
  • instance - Indicates that the source is an instance.
  • skynode - Indicates that the source is a Sky Node.
  • nexus-log - Specifies that the source is the Nexus Server for non-API interactions.
  • nexus-api - Specifies that the source is the Nexus Server for API interactions.
source Based on the source type, this field specifies either the instance ID or the cloud ID of a Sky Node. If the source type is set to a Nexus type, this field will be ignored.
logtype * Indicates the log type, which can be one of the following:
  • file - Specifies that the data collection will be from a file.
  • docker - Specifies that the data collection will be from docker files.
  • system - Specifies that the source is the operating system log.
logname Based on the log type, this field specifies the path and name of the log file or the system logs.
parser * The parser field indicates which pre-defined parser to use for scanning the logs. If the field begins with "regex," a custom regular expression must follow to define a custom parser for log scanning. The following pre-defined parsers are available:
  • json - JSON log parser
  • apache, apache2 - Apache Http log parser
  • nginx - Nginx Http log parser
  • docker - Docker log parser
  • systemd - System log parser
  • custom parser example - The following is a custom parser example:
    example log => 10.1.0.1 GET /login everything is cool
    example parser => regex ^(?<ip>.*?) (?<method>.*?) (?<uri>.*?) (?<message>.*?)$
filter Specifies a semi-colon-separated - ; - list of filter rules to be applied. You can pass an empty string to remove all filters. The following format must be used for the filter:

OPERATOR->FIELDNAME PATTERN;...

  • OPERATOR:
    Defines the inclusion or exclusion rule, which can be:
    • inc - to include if the pattern matches.
    • exc - to exclude if the pattern matches.
  • ->:
    Indicates the separator of the pattern rule, which must be specified as a dash "-" followed by the greater-than ">" symbol (i.e., ->).
  • FIELDNAME PATTERN:
    Specifies the field name to match the pattern against, followed by the text pattern to be used. A space must be placed between the FIELDNAME and PATTERN.
Here are some examples:
  • inc->_COMM sshd
    This rule will include only messages that contain the value "sshd" in the _COMM field.
  • exc->uri common.svg
    This rule will exclude all messages that contain "common.svg" in the uri field.
  • filter string value
    To set all the above example rules, the "filter" string value would look like this:
    inc->_COMM sshd;exc->uri common.svg
* Indicates a mandatory field.

Code Snippets
Here are several code snippets provided for your direct use. Simply select your preferred tool/language by clicking on it.


Successful Response
{
    "result": "OK",
    "payload": "The process was successfully completed",
    "id": "V7-49ff499f-xxxx-xxxx-xxxx-b47fxxxx99af"
}

Failed Response
{
    "result": "ERR",
    "message": "Error message ..."
}