How to Interact with the LogRhythm SOAP API using Ruby

I recently had the opportunity to interact with the LogRhythm SOAP API. LogRhythm is a SIEM/IDS solution that has components which run on both Windows and Linux. They provide an HTTP/SOAP interface which allows for interacting with the system via well-defined API calls. This API runs in Windows/IIS.

My goal was to use ruby to interact with this API as part of a security data aggregation script I needed to execute. This article describes a couple things which helped me on my way to success.

I recently had the opportunity to interact with the LogRhythm SOAP API. LogRhythm is a SIEM/IDS solution that has components which run on both Windows and Linux. They provide an HTTP/SOAP interface which allows for interacting with the system via well-defined API calls. This API runs in Windows/IIS.

My goal was to use ruby to interact with this API as part of a security data aggregation script I needed to execute. This article describes a couple things which helped me on my way to success.

References

There really isn't a whole lot of information about the LogRhythm SOAP API on the internet. You have to have access to a paying customers environment and they can make the documentation available for you to use.

 

Preparing LogRhythm

Before you can use the SOAP API, you must:

  • Ensure it is installed and configured (a complex and overly difficult task)
  • Ensure you have been granted a user in the system which has API access rights

Preparing your ruby environment

For your ruby script to do anything with a WCF/SOAP API, it has to have a SOAP Library available for it. I selected Savon since it seems to be modern and well supported.

The next thing to consider is authentication. If you will be using HTTP Basic Auth, you can continue without another dependency. If you need to use NTLM auth, you'll need to install rubyntlm. In my case the person who installed the API left it in 'basic' mode, so I didn't have to overly complicate things.

 

Connect to the API

For the purposes of this article, I am connecting to the AlarmService API which lets me read LogRhythm Alarms.

If you will be using HTTP basic authentication, use this URL:

https:///LogRhythm.API/Services/AlarmServiceBasicAuth.svc?singleWsdl

 

If you'll be using NTLM, you'll want to hit:

https:///LogRhythm.API/Services/AlarmServiceWindowsAuth.svc?singleWsdl

 

Important note: Be sure to hit the singeWsdl rather than just wsdl. The Savon client does not know how to parse 'wsdl' and requires everything to be sent over at once for it to correctly create requests.

 

Client connection code in Savon looks something like this:

# For debugging the client, pass these options
#    log: true,
#    pretty_print_xml: true,
client = Savon.client(wsdl: "https://:/LogRhythm.API/Services/AlarmServiceBasicAuth.svc?singleWsdl",
                      ssl_verify_mode: :none,
                      log_level: :debug,
                      wsse_auth: ["LogRhythmApiUserNameHere", "PasswordHere"]
                      )

 

To issue a call to get the 'first page' of alarms:

#
# Get a list of alarms
# NOTE: Be sure to use iso8601 date formatting!
from = Time.new(2016, 4, 26).iso8601
to = Time.new(2016, 5, 3).iso8601
alarms_response = client.call(:get_first_page_alarms, :message =>{
  :startDate => from,
  :endDate => to,
  :allUsers => true,
  :maximumResultsPerPage => 1800
})

Note: There does not appear to be a restriction on the number of results get returned on the 'first page', so if you don't want to page, you can just specify how many you want to pull back.

 

Gotchas

When I mentioned earlier that you must use the singleWsdl option, it was to save you troubleshooting time. If you don't use singleWsdl you will see SOAP XML requests be improperly crafted, resulting in obnoxiously vague messages from the LogRhythm API. This is what a mal-formed request looks like (apologies for the spaces in the xml tags, my website software does not like tags even in code copy/pastes...):

  <env:Body>
    <tns:GetFirstPageAlarms>
      <startDate>2016-04-26T00:00:00-06:00</startDate>
      <endDate>2016-05-03T00:00:00-06:00</endDate>
      <allUsers>true</allUsers>
      <maximumResultsPerPage>1800
    </tns:GetFirstPageAlarms>
  </env:Body>

 

With the singleWsdl, Savon has enough context to know to create this correct XML payload:

  <env:Body>
    <tns:GetFirstPageAlarms>
      <tns:startDate>2016-04-26T00:00:00-06:00</tns:startDate>
      <tns:endDate>2016-05-03T00:00:00-06:00
      <tns:allUsers>true</tns:allUsers>
      <tns:maximumResultsPerPage>1800</tns:maximumResultsPerPage>
    </tns:GetFirstPageAlarms>
  </env:Body>

 

With that, I am now able to interact with every LogRhythm SOAP API from Ruby.