All endpoints require authentication via the api_key query parameter.
Base URL: https://<LOGSIGN_HOST>
Table of Contents
1. Test API
Tests the API connection and validates the API key.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
Example Request
GET /test_api?api_key=YOUR_API_KEY
Example Response
{
"success": true
}
2. Get Version
Returns the current Logsign SIEM version.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
Example Request
GET /get_version?api_key=YOUR_API_KEY
Example Response
{
"success": true,
"version": "6.4.1"
}
3. Feed List (GET)
Returns all entries from the specified feed list.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
| list_name | string | Yes | Name of the feed list |
| format | string | No | Set to txt to return the response as plain text |
Example Request
GET /feed_list?api_key=YOUR_API_KEY&list_name=blocked_ips
4. Feed List (POST)
Adds a new entry to the specified feed list.
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
| list_name | string | Yes | Name of the feed list |
Body Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| value | string | Yes | The value to add |
| expire_time | int | No | Expiration time in seconds (default: 0 = no expiry) |
Example Request
POST /feed_list?api_key=YOUR_API_KEY&list_name=blocked_ips
Content-Type: application/json
{
"value": "192.168.1.100",
"expire_time": 3600
}
5. Get Count
Returns the event count for a given query, grouped by a specified column.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
| query | string | Yes | Search query |
| grouped_column | string | Yes | Column name to group by |
| criteria | string | Yes | Aggregation criteria (e.g. count, sum) |
| time_frame | string | Yes | Time frame for the query |
Example Request
GET /get_count?api_key=YOUR_API_KEY&query=*&grouped_column=SourceIP&criteria=count&time_frame=last_1_hour
6. Get Events
Returns events matching the given query with pagination support.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
| query | string | Yes | Search query |
| time_frame | string | Yes | Time frame for the query |
| page | int | No | Page number (default: 1) |
| size | int | No | Results per page (default: 100) |
Example Request
GET /get_events?api_key=YOUR_API_KEY&query=SourceIP:10.0.0.1&time_frame=last_1_hour&page=1&size=50
7. Get Columns
Returns grouped column values for a given query.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
| query | string | Yes | Search query |
| grouped_column | string | Yes | Column name to group by |
| time_frame | string | Yes | Time frame for the query |
Example Request
GET /get_columns?api_key=YOUR_API_KEY&query=*&grouped_column=SourceIP&time_frame=last_24_hours
8. Get Incidents
By default this endpoint returns alert data (DataType:Alert) for backward compatibility. Since version 6.4.112, sending source=incident returns actual incident data instead, including incident status. This makes it possible to distinguish open and closed incidents.
Returns incidents created after the specified timestamp.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
| last_run | string | Yes | Timestamp; returns incidents created after this time |
| query | string | No | Filter query |
| source | string | No |
Data source to return. Set to incident to return incident data (with status). If omitted, alert data is returned (default). |
Example Request
GET /get_incidents?api_key=YOUR_API_KEY&last_run=2026-04-17T00:00:00Z&query=severity:high
GET /get_incidents?api_key=YOUR_API_KEY&last_run=2026-04-17T00:00:00Z&source=incident
time_frame
curl --location 'https://YOUR_HOST/get_incidents?api_key=YOUR_API_KEY&time_frame=10%20min&query=*&source=incident'
curl --location 'https://YOUR_HOST/get_incidents?api_key=YOUR_API_KEY&time_frame=1%20hour&query=*&source=incident'
9. Set Incident Status
Closes an incident with the given reason and comment.
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
| incident_id | string | Yes |
Incident ID. Either the Incident.ID column value or the DocID shown in the incident URL can be used; both work |
Body Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| reason_id | int | Yes | Close reason. See the reason list below. |
| comment | string | Yes | Comment describing why the incident is being closed. |
reason_id values
| reason_id | Meaning |
| 1 | False Positive |
| 2 | True Positive |
| 3 | No Action |
| 4 | Resolved |
| 5 | Other |
Example Request
POST /set_incident_status?api_key=YOUR_API_KEY&incident_id=123
Content-Type: application/json
{
"reason_id": 4,
"comment": "close comment str"
}
For example, sending reason_id 4 closes the incident as Resolved.
10. Incident Comment
Adds a comment to an incident.
Query Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
Body Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| incident_id | string | Yes | Incident ID |
| message | string | Yes | Comment text |
Example Request
POST /incident_comment?api_key=YOUR_API_KEY
Content-Type: application/json
{
"incident_id": "INC-001",
"message": "Incident reviewed and closed as false positive."
}
11. Get Alert Configs
Returns all alert configurations grouped by alert blocks.
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
Example Request
GET /get_alert_configs?api_key=YOUR_API_KEY
Example Response
[
{
"uid": "block-001",
"name": "Network Alerts",
"alerts": [
{
"uid": "alert-001",
"name": "High Traffic Alert",
"disabled": false,
"block_uid": "block-001"
}
]
}
]
Error Responses
| HTTP Code | Description |
|---|---|
| 403 | Invalid API key or missing required parameter |
| 400 | Invalid request body (JSON parse error) |
| 429 | Rate limit exceeded |
12. Get System Events
Returns system events (DataType:system) matching the given query with pagination support.
GET/get_system_events 30/min
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
| time_frame | string | Yes | Time frame for the query (format: <number> <unit>) |
| query | string | No | Search query (if omitted, all system events are returned) |
| page | int | No | Page number (default: 1) |
| size | int | No | Results per page (default: 100, max: 1000) |
time_frame units
| Unit | Meaning | Upper bound |
|---|---|---|
| min | Minutes | 1440 (24 hours) |
| hour | Hours | 168 (7 days) |
| day | Days | 7 |
Example Request
GET /get_system_events?api_key=YOUR_API_KEY&time_frame=1 hour
Example Response
{
"success": true,
"events": [
{
"Time": { "Generated": "..." },
"DataType": "system",
"...": "..."
}
],
"total_count": 1342
}Notes
- Results are sorted by
Time.Generateddescending (newest first). - Use
total_countto calculate total pages:ceil(total_count / size). - Unlike
/get_events, thequeryparameter is optional; omitting it returns all system events.
13. Data Collection List
Returns the list of data sources defined in the system: type, host, vendor/product (if set), logging state, enabled/disabled status and tags.
GET/data_collection_list 10/min
Parameters
| Parameter | Type | Required | Description |
|---|---|---|---|
| api_key | string | Yes | API key |
Example Request
GET /data_collection_list?api_key=YOUR_API_KEY
Example Response
{
"success": true,
"data_collection": [
{
"type": "Windows",
"description": "DC01 Windows Event Log",
"host": "10.0.0.15",
"vendor": "Microsoft",
"product": "Windows",
"logging_state": "Active",
"status": "Enabled",
"tags": "Domain Controller, Critical"
},
{
"type": "Syslog",
"description": "Legacy Firewall",
"host": "10.0.0.20",
"logging_state": "Passive",
"status": "Enabled",
"tags": "-"
}
],
"total_count": 2
}Notes
- The response does not include a raw last-log timestamp. Instead,
logging_statereports whether the source is currentlyActive(received logs within its expected health-check period) orPassive. -
statusreflects the source's admin configuration (Enabled/Disabled), not its logging activity. -
vendorandproductare only present when both are set on the source configuration. -
tagsis a comma-separated list of tag descriptions attached to the source, or-if none.