OpenObserve API Usage Guide for Audit Log Management
1. 概述
1.1 目標
本文檔旨在詳細介紹 OpenObserve 的 API 使用方法,幫助用戶通過 API 實現日志管理功能,包括日志攝入、查詢、模糊匹配(類似 SQL 的 LIKE)、stream 管理等。文檔基于 test stream 的審計日志場景,解決之前遇到的模糊匹配問題。
1.2 OpenObserve API 簡介
OpenObserve 是一個開源的 observability 平臺,支持日志、指標和追蹤數據。API 是與 OpenObserve 交互的主要方式,支持以下功能:
- 日志攝入:通過 API 批量攝入日志數據。
- 日志查詢:支持 SQL-like 語法查詢日志,支持模糊匹配。
- Stream 管理:創建、更新、刪除 stream,以及管理 stream 設置(如
full_text_search_keys)。 - 用戶和組織管理:管理組織、用戶和權限。
- 告警和儀表盤:配置告警規則和創建儀表盤。
1.3 認證
OpenObserve API 使用 HTTP Basic Authentication,所有請求必須包含 Authorization 頭。認證信息是用戶 ID 和密碼的 Base64 編碼。
生成 Authorization 頭
- 用戶 ID:
admin@admin.com - 密碼:
admin - Base64 編碼:
echo -n "admin@admin.com:admin" | base64->YWRtaW5AYWRtaW4uY29tOmFkbWlu
示例
-H "Authorization: Basic YWRtaW5AYWRtaW4uY29tOmFkbWlu"
2. API 端點和使用方法
以下是 OpenObserve 的主要 API 端點及其使用方法,基于 OpenObserve 文檔。
2.1 日志攝入 API
端點
- POST
/api/{organization}/{stream}/_json
功能
批量攝入日志數據到指定 stream。OpenObserve 會根據數據自動推斷 schema。
請求
- Content-Type:
application/json - Body:JSON 數組,每個元素是一條日志記錄。
示例
攝入 3 條審計日志到 test stream:
curl -X POST \-H "Authorization: Basic YWRtaW5AYWRtaW4uY29tOmFkbWlu" \-H "Content-Type: application/json" \-d '[{"user": "test_user_create","path": "/test/path","category": "File Management","event": "Create Document","date": "2025-04-28 17:01:00","comment": "Created a new document","ip": "192.168.1.1"},{"user": "admin_user","path": "/admin/path","category": "User Management","event": "Update User","date": "2025-04-28 17:02:00","comment": "Updated user profile","ip": "192.168.1.2"},{"user": "create_team_lead","path": "/team/path","category": "Team Management","event": "Create Team","date": "2025-04-28 17:03:00","comment": "Created a new team","ip": "192.168.1.3"}]' \http://localhost:5080/api/default/test/_json
響應
{"code": 200,"status": [{"name": "test","successful": 3,"failed": 0}]
}
注意事項
- 如果
teststream 不存在,OpenObserve 會自動創建。 - 確保字段類型一致(例如
date應始終為字符串格式)。
2.2 日志查詢 API
端點
- POST
/api/{organization}/{stream}/_search
功能
使用 SQL-like 語法查詢日志,支持模糊匹配、聚合等操作。
請求
- Content-Type:
application/json - Body:
query.sql:SQL 查詢語句。query.start_time和query.end_time:查詢時間范圍(微秒)。from和size:分頁參數。
示例 1:基本查詢
查詢 test stream 的最新 10 條記錄:
curl -X POST \-H "Authorization: Basic YWRtaW5AYWRtaW4uY29tOmFkbWlu" \-H "Content-Type: application/json" \-d '{"query": {"sql": "SELECT * FROM test","start_time": 0,"end_time": 999999999999999,"from": 0,"size": 10}}' \http://localhost:5080/api/default/test/_search
響應
{"took": 10,"hits": {"total": 3,"hits": [{"user": "test_user_create","path": "/test/path","category": "File Management","event": "Create Document","date": "2025-04-28 17:01:00","comment": "Created a new document","ip": "192.168.1.1"},{"user": "admin_user","path": "/admin/path","category": "User Management","event": "Update User","date": "2025-04-28 17:02:00","comment": "Updated user profile","ip": "192.168.1.2"},{"user": "create_team_lead","path": "/team/path","category": "Team Management","event": "Create Team","date": "2025-04-28 17:03:00","comment": "Created a new team","ip": "192.168.1.3"}]}
}
示例 2:模糊匹配查詢
使用 str_match 實現模糊匹配(類似 LIKE '%create%'),查找 user 字段包含 “create” 的記錄:
curl -X POST \-H "Authorization: Basic YWRtaW5AYWRtaW4uY29tOmFkbWlu" \-H "Content-Type: application/json" \-d '{"query": {"sql": "SELECT * FROM test WHERE str_match(user, '\''create'\'')","start_time": 0,"end_time": 999999999999999,"from": 0,"size": 10}}' \http://localhost:5080/api/default/test/_search
響應
{"took": 10,"hits": {"total": 2,"hits": [{"user": "test_user_create","path": "/test/path","category": "File Management","event": "Create Document","date": "2025-04-28 17:01:00","comment": "Created a new document","ip": "192.168.1.1"},{"user": "create_team_lead","path": "/team/path","category": "Team Management","event": "Create Team","date": "2025-04-28 17:03:00","comment": "Created a new team","ip": "192.168.1.3"}]}
}
示例 3:全局全文搜索
使用 match_all 在所有字段中查找 “create”:
curl -X POST \-H "Authorization: Basic YWRtaW5AYWRmiW4uY29tOmFkbWlu" \-H "Content-Type: application/json" \-d '{"query": {"sql": "SELECT * FROM test WHERE match_all('\''create'\'')","start_time": 0,"end_time": 999999999999999,"from": 0,"size": 10}}' \http://localhost:5080/api/default/test/_search
響應
{"took": 10,"hits": {"total": 3,"hits": [{"user": "test_user_create","path": "/test/path","category": "File Management","event": "Create Document","date": "2025-04-28 17:01:00","comment": "Created a new document","ip": "192.168.1.1"},{"user": "admin_user","path": "/admin/path","category": "User Management","event": "Update User","date": "2025-04-28 17:02:00","comment": "Updated user profile","ip": "192.168.1.2"},{"user": "create_team_lead","path": "/team/path","category": "Team Management","event": "Create Team","date": "2025-04-28 17:03:00","comment": "Created a new team","ip": "192.168.1.3"}]}
}
注意事項
str_match不需要字段在full_text_search_keys中,但如果啟用全文搜索,查詢效率可能更高。match_all依賴full_text_search_keys,否則可能無法匹配。
2.3 Stream 管理 API
端點 1:列出所有 Streams
- GET
/api/{organization}/streams
功能
列出組織中的所有 stream,包括 schema 和設置。
示例
curl -X GET \-H "Authorization: Basic YWRtaW5AYWRtaW4uY29tOmFkbWlu" \http://localhost:5080/api/default/streams
響應
[{"name": "test","storage_type": "disk","stream_type": "logs","stats": {"doc_num": 3,"storage_size": 0.0003},"schema": [{"name": "_timestamp", "type": "Int64"},{"name": "category", "type": "Utf8"},{"name": "comment", "type": "Utf8"},{"name": "date", "type": "Utf8"},{"name": "event", "type": "Utf8"},{"name": "ip", "type": "Utf8"},{"name": "path", "type": "Utf8"},{"name": "user", "type": "Utf8"}],"settings": {"full_text_search_keys": [],"data_retention": 0}}
]
端點 2:更新 Stream 設置
- PUT
/api/{organization}/streams/{stream}/settings
功能
更新 stream 的設置,例如 full_text_search_keys。
示例
嘗試啟用 user 字段的全文搜索:
curl -X PUT \-H "Authorization: Basic YWRtaW5AYWRtaW4uY29tOmFkbWlu" \-H "Content-Type: application/json" \-d '{"full_text_search_keys": ["user"]}' \http://localhost:5080/api/default/streams/test/settings
響應
{"code": 200,"message": "Settings updated successfully for stream test"
}
注意事項
- 之前嘗試更新
full_text_search_keys失敗(Json deserialize error),建議通過 UI 手動設置,或者聯系 OpenObserve 社區解決。
端點 3:刪除 Stream
- DELETE
/api/{organization}/streams/{stream}
功能
刪除指定 stream 及其數據。
示例
curl -X DELETE \-H "Authorization: Basic YWRtaW5AYWRtaW4uY29tOmFkbWlu" \http://localhost:5080/api/default/streams/test
響應
{"code": 200,"message": "Stream test deleted successfully"
}
2.4 告警 API
端點
- POST
/api/{organization}/alerts
功能
創建告警規則,例如當 event 字段包含 “Error” 時觸發告警。
示例
創建告警,當 event 包含 “Error” 時觸發:
curl -X POST \-H "Authorization: Basic YWRtaW5AYWRtaW4uY29tOmFkbWlu" \-H "Content-Type: application/json" \-d '{"name": "error_alert","stream": "test","query": "SELECT * FROM test WHERE str_match(event, '\''Error'\'')","condition": "num > 0","threshold": 1,"frequency": "5m","destination": "email","email": "admin@example.com"}' \http://localhost:5080/api/default/alerts
響應
{"code": 200,"message": "Alert created successfully"
}
3. 總結
OpenObserve 的 API 提供了強大的日志管理功能,支持攝入、查詢、模糊匹配和 stream 管理。通過 str_match 可以實現類似 LIKE 的模糊匹配,滿足審計日志場景的需求。建議進一步優化 full_text_search_keys 設置,并關注 OpenObserve 的版本更新以獲取更多功能支持(如 REGEXP 或 LIKE)。
在細胞器相互作用中的應用)
![[C語言]猜數字游戲](http://pic.xiahunao.cn/[C語言]猜數字游戲)
