An applicatin built to ingest any type of raw logs into Sentinel Workspace over HTTPS using the Log Ingestion API. Similar to the HTTP Event Collector from Splunk Documentation
- Authentication: JWT-based authentication for secure access.
- Log Ingestion: Accepts any type of raw logs and ingests them into your workspace.
- Sentinel Integration: Supports Microsoft Sentinel ingestion using the Log Ingestion API.
-
Ensure Node.js v22 is installed on your system
-
Clone the repository
-
Install dependencies:
npm ci
-
Install Devtunnel to host your localhost server using reverse proxy. Guide
- Deploy the templates for DCE, DCR, Table. Template
- Copy the Log Ingestion Endpoint and the Immuatable Id for the deployed DCE and DCR respectively.
-
Initialise reverse proxy to
localhost:3000npm run devtunnel
-
Configuring Environment Variables Create a
.envfile and add the following variables with the values copied earlier
DCE_URL
DCR_RULE_ID -
Start the Application
npm run start
-
Make a POST request to the
/loginendpoint to get the token with the following credentials in the body{ "username": "admin", "password": "passowrd" } -
Send Logs by making POST request to the
/data?sourceType={sourceName}endpoint to ingest data. Source name is the name to be tagged with the logs when ingesting, defaults to Custom.
Headers:{ "Authentication": "Bearer {token}" }Body:
[ { "timestamp": "2025-03-26T12:34:56Z", "level": "error", "message": "Database connection failed", "service": "user-auth-service", "error": { "code": "DB_CONN_TIMEOUT", "details": "Connection to database timed out after 30 seconds" } }, { "timestamp": "2025-03-26T14:20:10Z", "level": "error", "message": "Failed to fetch user details", "service": "user-profile-service", "error": { "code": "USER_NOT_FOUND", "details": "No user found with the given ID" } } ]