Capture API Calls

Graylog API Security captures API calls from network sniffers, API gateways, and API microservices, in any combination. In this article, we provide details for options you can use to capture API calls to your API Security database.

Prepare for API Capture

Each API Security cluster has a capture URL for receiving incoming API calls. This URL is different from the URL used to connect to the database.

Run this script to get your capture URL:

Copy
CAPTURE_URL=https://$(kubectl get svc resurface-kubernetes-ingress --namespace resurface --template '{{ (index .status.loadBalancer.ingress 0).ip }}')/fluke/message; echo $CAPTURE_URL

API Security accepts API calls in JSON format from practically any source, including curl. Before configuring sniffers or other data sources, you can verify that your database is able to receive API calls over the network with a simple "hello world" test.

Here is an example of using curl to capture a single API call:

Copy
curl -k -X POST -H "Content-type: application/json" --data '[["request_method","GET"],["request_url", "http://myurl"],["response_code","200"]]' $CAPTURE_URL

Use Insomnia Plugin

Another way to test your initial API Security configuration is to use Insomnia, an open source tool for designing, building, and testing APIs. Using an Insomnia plugin is an easy way to capture traffic from any API using Insomnia as the client. This method lets you see real API calls without having to install anything in your production environment.

For more information about using this tool, see the Insomnia website.

Capture on Kubernetes

API Security can deploy a network sniffer to every node in your Kubernetes cluster by using a DaemonSet. This feature allows you to capture API calls without needing to modify each pod and without impacting runtime performance. The sniffer discovery feature automatically captures all API traffic as services start and stop within the cluster.

Note that this method captures only HTTP traffic, not HTTPS encrypted traffic.

The sniffer DaemonSet is disabled by default, but you can enable it with a simple Helm command:

Copy
helm upgrade resurface resurfaceio/resurface --namespace resurface --set sniffer.enabled=true --set sniffer.discovery.enabled=true --reuse-values

Capture on Virtual and Physical Networks

API Security provides a containerized packet sniffer that can run as a standalone application or alongside your applications as a sidecar. This sniffer captures HTTP traffic directly from network devices available to the host machine without impacting runtime performance.

Note that this sniffer captures only HTTP traffic, not HTTPS encrypted traffic.

The sniffer sidecar works for Amazon Elastic Container Service (ECS), Azure Container Instances (ACI), Docker Compose, and VMWare virtual switches.

VPC Mirroring

VPC mirroring, as supported by Amazon Virtual Private Cloud (VPC), copies network traffic from EC2 instances to monitoring platforms like API Security. Mirroring allows a high volume of API traffic to be delivered to a API Security network sniffer that captures the API calls. Traffic monitoring doesn't require changes to any existing APIs, and doesn't negatively impact API performance.

Tyk API Gateway

For APIs fronted by a Tyk API Gateway, you can capture API calls to API Security through the Tyk Pump. Using the Tyk Pump does not slow down calls made through the Tyk API Gateway.

IBM API Connect

If you use IBM API Connect for API development or management in your environment, you can integrate with API Security for API capture. This agentless integration captures API traffic with no performance impact.

Azure API Management

For APIs fronted by Azure API Management, you can capture API calls to your Graylog API Security database through Event Hub integration. This method doesn't require any changes to your existing APIs, just minor changes to your API Management configuration.

Logger Libraries

Graylog API Security includes open-source logging libraries through GitHub that you can integrate with Apache2 licensing and minimal dependencies. These libraries include prebuilt middleware for many popular frameworks, so you can be logging API calls in just a few minutes.

Visit the links below to see what libraries are available: