OVH Guide

Using tokens to query Logs Data Platform

If you want to give access to your logs to a software or automatize some tasks depending on your logs. You will maybe need to access them through the API. The most secure way to do this is to use tokens.

With Logs Data Platform, there are 3 ways to query your logs.

So you can pop up a Kibana or a Grafana or even a terminal Dashboard for Graylog. All these accesses are secured by your username and password. But what if you don't want to put your Logs Data Platform credentials everywhere? You can just use tokens to access all these endpoints and revoke them anytime you want. This tutorial is here to tell you how.

Generating tokens using the manager

Once you have logged into Logs Data Platform you will have to access to the token Generation panel located at the top right in the user menu.

Token Menu

On this menu you will have the possibility to create a token and to remove them. Note that you cannot modify a token.

token generation

Once the token is created, you can use its value and remove it:

token generated

Generating tokens with API

One goal with token is to automatize APIs call. Sometime you even need to automatize token creation. That's why it is possible to create token by using only the OVH APIs. If you're familiar with the OVH API, it should be fairly straightforward, if you're not, this section will help you with it. Generating tokens is two API calls away. You can use the OVH API console to make theses calls.

First you will have to retrieve the serviceName you want to generate token for. The API call to get your serviceName is the following:

Endpoint:
About:

List available services.

If you want to know what is the Logs Data Platform username associated with this serviceName, use the following call:

Endpoint:
About:

Return the service object of connected identity.

Parameters:
serviceName *

The internal ID of your Logs Data Platform service (string)

Once you have the login you want, use:

Endpoint:
About:

Add a new token.

Parameters:
serviceName *

The internal ID of your Logs Data Platform service (string)

name *

The name of your token (string)

Please replace serviceName with your serviceName, and replace name by the name of your choice for your token. This call will give you a taskId. After a few seconds you can retrieve your tokenId with this call:

Endpoint:
About:

Return the list of service tokens.

Parameters:
serviceName *

The internal ID of your Logs Data Platform service (string)

This will give you back the id of your token. The actual value of the token can be retrieved with:

Endpoint:
About:

Return the specified token.

Parameters:
serviceName *

The internal ID of your Logs Data Platform service (string)

tokenId *

UUID of your token (string)

Here is the final response you will get.

{
    "updatedAt": "2016-12-01T12:30:26.566986+00:00",
    "createdAt": "2016-12-01T12:30:26.566939+00:00",
    "value": "kujg9g227qv0123mav3s0q4pra4psqsi5leka6j7lc62qdef58q",
    "name": "token_name",
    "tokenId": "XXXXXXXXXXXXXXXXXXXXXXXXXXX"
}

The token value is the value field. That is the field you will need to use the Logs Data Platform Search APIs.

Finally to delete your token, use the following call:

Endpoint:
About:

Delete the specified token.

Parameters:
serviceName *

The internal ID of your Logs Data Platform service (string)

tokenId *

UUID of your token (string)

Using your tokens

Using your token is no different of using your credentials. You just have to replace your username with your token and your password with the word token. For example to issue a search against the Graylog API with the token obtained above, you can do the following:

$ curl -u kujg9g227qv0123mav3s0q4pra4psqsi5leka6j7lc62qdef58q:token -XGET https://<your_cluster>.logs.ovh.com/api/search/universal/relative?query=*&range=2592000&filter=streams:a123aebc12345623aafd

Note that you have to replace the stream value in the filter parameter by the Id of your stream.

To issue a search against the Elasticsearch API, you also use the same credentials.

$ curl -u kujg9g227qv0123mav3s0q4pra4psqsi5leka6j7lc62qdef58q:token https://<your_cluster>.logs.ovh.com:9200/my_alias/_search

This call will launch a quick search (to retrieve the count and a sample of your documents) against the alias my_alias. Replace the alias by the alias you have setup in you Logs Data Platform console. Note that these credentials are usable in place of your account credentials in Kibana and Grafana (or any tool that support Basic Authentication with Elasticsearch).

The only place you cannot use your token is the Graylog Web Interface.


Getting Help