Wanting to utilize your Loggly information outside of the Dashboard? You can access your information from Loggly via Loggly's API which allows you to:

• Send and Retrieve Events
• Add, View or Delete inputs
• Add, View, or Delete devices

Loggly's API allows for easy access to your log data. Creating and utilizing data for use in application development and deployment without having to mess around with the dashboard. If you're in need of a python API check out Python Logging and Hoover

Events can be sent into Loggly via syslog or HTTP POSTs. If you need to configure your servers to send Loggly data via a syslog based service, please refer to the Logging Configuration page.

To send in events via the APIs, through HTTP POSTs, you'll use the hostname logs.loggly.com (instead of the [subdomain].loggly.com format used by the other API calls). The APIs on the proxy cluster support both HTTP and HTTPs, and use a SHA-2 key in the URL for validation. These keys can be generated by creating an HTTP input type from the Input Management page on your Loggly account. Here's an example input URL:

http://logs.loggly.com/inputs/83e527d7-fad3-4d93-89da-0c2d8c0bcd6c

If your servers are located on AWS US-East-1, you can use the host ec2.logs.loggly.com to send logs to us without incurring transfer charges. We'll be adding deployments in other regions soon.

To create an HTTP input, login to your account, then navigate to the inputs tab. Click on the add input button at the bottom of the page and then provide an input name and description for the input:

Once you create an HTTP input, you'll be taken to the input detail page, which will contain the URL you can use to send data to that particular input. If you need to rotate the SHA-2 key associated to a particular input, you can click on the generate new URL button at the bottom of the input detail page.

You can test the newly created input by sending in some test POST data via curl:

curl -H "content-type:text/plain" -d "127.0.0.1 - there's no place like home" http://logs.loggly.com/inputs/83e527d7-fad3-4d93-89da-0c2d8c0bcd6c

Keep in mind that the SHA-2 key above is an example, and you'll need your own key in there for it to work!

If you don't have curl, you can use wget instead:

wget --quiet -O - --header "content-type:text/plain" --post-data "127.0.0.1 - there's no place like earth" http://logs.loggly.com/inputs/83e527d7-fad3-4d93-89da-0c2d8c0bcd6c

The JSON result from a POST to an input contains a response and timestamp:

{ 'response': 'ok' }

If you are sending us events via HTTP, you must correctly encode your POST data. If we see a header with 'application/x-www-form-urlencoded' as the content-type, we'll convert it to JSON it before storing it in your account. If we see a header with 'text/plain' as the content-type, we will leave the content alone and store it as regular text in your account.

Both curl and wget incorrectly set the content-type to 'application/x-www-form-urlencoded' by default. You'll need to set the content-type to 'text/plain' to store plain text events in your HTTP inputs.

Note: Some tools or libraries may add the urlencoded header even though they may not actually encode the POST data. If you don't encode your POST data, but the headers are set, you may see your data converted to a strange JSON format.

Loggly APIs are accessed using your account's subdomain. An example of a subdomain+loggly.com address is pixlcloud.loggly.com. Loggly's APIs require authentication, and OAuth, BASIC Auth, and cookie-based authentication are supported.

Note: The APIs methods documented below are the 'offical' APIs, but there are other methods that you may discover by sniffing the UI's traffic from your browser. If you happen to find and use these, please do so at your own risk. We will be adding more API calls here as soon as they are ready for public consumption. While we are keen on not changing the calls around on users we may from time to time be required to update the methods.

Here's the the layout of the URLs used to access our APIs:

http://[subdomain].loggly.com/api/[endpoint]

You can also use HTTPS for the accessing the APIs:

https://[subdomain].loggly.com/api/[endpoint]

The search methods can return raw events, meta data we know about the events, and summary data (facets) on the events. By default, search contexts are constrained to the last 24 hours (relative time) and search across all inputs and devices.

/search/

Provides search results from an account.

Note: When passing in time differences such as 'NOW-1DAY+1MINUTE', be sure you encode the '+' as %2B.

curl -u [user]:[pass] 'http://[subdomain].loggly.com/api/search?q=404'

{
  "data": [
  {
    "timestamp": "2010-02-17 02:08:45.912-0700",
    "inputname": "solrclient",
    "ip": "127.0.0.1",
    "text": "btpool0-87 SolrCore.execute INFO: [repo_6] webapp=/solr path=/select/ params={sort=timestamp+desc&start=0&q=404&version=2.2&rows=100} hits=7182 status=0 QTime=0 \n",
  },
  {
    "timestamp": "2010-02-17 02:08:29.123-0700",
    "inputname": "solrclient",
    "ip": "127.0.0.1",
    "text": "btpool0-87 SolrCore.execute INFO: [repo_6] webapp=/solr path=/select/ params={sort=timestamp+desc&start=0&q=404&version=2.2&rows=100} hits=7182 status=0 QTime=3 \n",
  }
  ],
  "numFound": 2070,
  "context": {
    "rows": 10, 
    "from": "NOW-1DAY", 
    "until": "NOW", 
    "start": 0, 
    "query": "404", 
    "order": "desc"
  }
}

/facets/date/
/facets/ip/
/facets/input/

Provides faceted results from an account on either date, ip, or input fields. Facets return counts of events over a time range.

Note: When passing in time differences such as 'NOW-1DAY+1MINUTE', be sure you encode the '+' as %2B.

curl -u [user]:[pass] "content-type:text/plain" 'http://[subdomain].loggly.com/api/facets/date/?q=404'

{
  "numFound": 1484, 
  "gap": "+30MINUTES", 
  "gmt_offset": "-0700", 
  "start": 0, 
  "context": {
    "rows": null, 
    "from": "NOW-1DAY/HOUR", 
    "until": "NOW+1HOUR/HOUR", 
    "start": 0, 
    "query": "404", 
    "order": "desc"
  }, 
  "data": {
    "2010-05-13 11:00:00.123-0700": 3060, 
    "2010-05-13 15:57:10.223-0700": 1457, 
    "2010-05-13 20:54:20.232-0700": 5772, 
    "2010-05-14 06:48:40.233-0700": 1347, 
    "2010-05-14 01:51:30.235-0700": 644, 
    "2010-05-14 11:45:50.345-0700": 0
  }
}

Methods to manage inputs associated with your Loggly account.

Where [id] is specific to the input you set up within Loggly. To find the correct ID:

1. Go to the inputs dashboard
2. Click on the link to your 514 input
3. Look at the URL, you'll find the [id] at the end of the URL (e.g. https://[subdomain].loggly.com/inputs/[id])

/inputs/[id]/

Provides an input or list of inputs for an account. Use an input id to return only that id's info.

curl -u <username>:<password> 'http://<subdomain>.loggly.com/api/inputs/'

[
   {
      "name": "syslog", 
      "service": {
          "name": "syslogudp", 
          "display": "Syslog UDP"
      }, 
      "created": "2010-09-09 20:19:47", 
      "discover": false, 
      "discover_time": "2010-10-25 20:30:56", 
      "id": 147, 
      "port": 13261, 
      "description": "Syslog from all app servers",
      "devices": [
          {
              "ip": "10.0.20.20", 
              "resource_uri": "/api/devices/13", 
              "name": "app-raffy-old", 
              "id": 13
          }
      ] 
   } 
]

{
  "name": "httptest", 
  "service": {
      "name": "HTTP", 
      "display": "HTTP"
  }, 
  "created": "2011-01-07 19:41:33", 
  "input_token": "9076bdc4-9ed7-403a-9c85-f02da2404054", 
  "id": 337, 
  "description": "This is an HTTP input"
}

You can either use the ID in the URI to query a specific input or you can use it's name to do so. Here are two examples:

curl -u <username>:<password> 'http://<subdomain>.loggly.com/api/inputs/10'

This example queries the input with ID 10. Make sure you use the right ID. You cannot look at other user's inputs.

curl -u <username>:<password> 'http://<subdomain>.loggly.com/api/inputs/?name=mytestinput'

This example queries the input with name 'mytestinput'. You can use this in case you do not know the ID of an input. The name parameter works for all GET calls on the input API.

Creates a new input on your account.

POST Parameters:

• name .. input name
• description .. description
• service .. syslogudp|syslogtcp|http|syslog_tls|syslogtcp_strip|syslogudp_strip

curl -u <username>:<password> "content-type:text/plain" -d 'name=My Input' -d 'description=My new super input' -d 'service=syslogtcp' 'http://<subdomain>.loggly.com/api/inputs/'

{
  "name": "myinput", 
  "service": {
      "name": "syslogtcp", 
      "display": "Syslog TCP"
  }, 
  "created": "2011-02-10 19:05:06", 
  "discover": true, 
  "discover_time": "2011-02-10 19:05:06", 
  "id": 416, 
  "port": 18249, 
  "description": "My new super input"
}

/inputs/<id>/adddevice/

Programmatically adds the calling device to an input, allowing it to send the input data. See the Cloud Deployment page for more information on automatically enabling a server to send Loggly data. This call uses the requesting host's IP for the added device. If you need to add a different device, use the /devices/ call.

curl -X POST http://<username>:<password>@<subdomain>.loggly.com/api/inputs/<id>/adddevice/

/inputs/<id>/add514

Adds the calling device to a 514 UDP input's device list to allow it to send data. Required for devices that don't support changing port or protocol for their syslog transport. If you need to add a device from somewhere besides the device itself, use the /device/ call.

The GET request should be done on an input that is a UDP port 514 input in your account. The call will fail if you try to run this on another type of input.

wget http://<username>:<password>@<subdomain>.loggly.com/api/inputs/<id>/add514

/inputs/<id>/removedevice/

Programmatically removes the calling device from an input. This call uses the requesting host's IP for it to be removed. If you need to remove a different device, use the /devices/ call.

curl -X POST http://<username>:<password>@<subdomain>.loggly.com/api/inputs/<id>/removedevice/

/inputs/<id>/discover

Puts the input with ID <id> into discovery mode.

curl -X POST http://<username>:<password>@<subdomain>.loggly.com/api/inputs/<id>/discover 

Takes an input out of discovery mode.

curl -X DELETE http://<username>:<password>@<subdomain>.loggly.com/api/inputs/<id>/discover 

Methods to manage devices associated with your Loggly account.

/devices/[id]/

Provides a device or list of devices for an account.

curl -u [user]:[pass] 'http://[subdomain].loggly.com/api/devices/'

[
  {
      "name": "", 
      "ip": "24.4.108.196", 
      "input": [
          {
              "name": "zoto", 
              "id": 248
          }, 
          {
              "name": "test", 
              "id": 501
          }
      ], 
      "id": 393, 
      "launched": "2010-08-18 15:46:01", 
      "resource_uri": "/api/devices/393"
  }
]

Adds a device to an input.

curl -d "content-type:text/plain" input_id=314 -d ip=20.20.20.20 http://[username]:[password]@[subdomain].loggly.com/api/devices/

Deletes a device from an input.

Device ID or Device IP

curl -X DELETE http://[username]:[password]@[subdomain].loggly.com/api/devices/15
curl -X DELETE http://[username]:[password]@[subdomain].loggly.com/api/devices/10.0.20.233

These are fairly standard HTTP/RESTful response codes. From time to time we'll use them in our replies to your queries.