Authentication


Username & API Key:
You can always find your API Key inside <secthemall-path>/inc/apikey. Assuming that your SECTHEMALL working directory is /opt/secthemall you can use the following syntax:

curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
...

Client Time Zone:
Is important to specify your Time Zone (tz parameter) selected during the registration process. This is a mandatory parameter for all the API functions. Your Time Zone must be one of that list: http://php.net/manual/en/timezones.php

curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
-d "tz=Europe/Rome" \
...

Get Logs


Get Logs:
To get logs from your account (JSON encoded), you need to set the a parameter to getlogs.

curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
-d "tz=Europe/Rome" \
-d "a=getlogs" \
-d "f[type]=SSH"

Filters:
The search and the size parameters are filters that you could use to select logs. For example: if you want to get all SSH authentication failed from Chinese IP addresses, you can use search=ssh AND geo.countryname:china

curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
-d "tz=Europe/Rome" \
-d "a=getlogs" \
-d "search=ssh+AND+failed" \
-d "size=10"

Search syntax:
You could use one of the following syntax.

You can use the following operator inside a search: AND, OR and NOT. For example:
ssh AND geo.countryname:china
ssh AND NOT (duser:root AND duser:admin)

Filter Description Example
raw Raw log messages
raw:ssh
type Log Type: HTTP, CEF, SSH, iptables, netstat, fail2ban
type=SSH
geo.countryname IP country name
geo.countryname=china
ip IP address (v4 or v6)
ip=8.8.8.8
alias Node alias / server
alias=my-web-server
severity Severity: low, medium, high, critical
severity=high

Time span:
You can specify a day on which perform a query. Using the day parameter with one of the following syntax:

day=01 January 2017
day=now
day=-1 day
day=-1 week
day=-1 week 2 days
day=last Monday
For example:
curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
-d "tz=Europe/Rome" \
-d "a=getlogs" \
-d "search=type:SSH" \
-d "day=-1 day"


Global Blacklist


Show blacklisted IP:
To get all IPv4 and IPv6 for each alias blacklist, you must set the a parameter to gblshow. For example:

curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
-d "tz=Europe/Rome" \
-d "a=gblshow"

Add IP to Global Blacklist:
To put an IPv4 or IPv6 address in blacklist, you must set the a parameter to gbl, the parameter action to add and the parameter ip to the IP that you want to put in blacklist. You can also send the expire parameter that could contains the number of minutes after which the IP will be removed from blacklist. For example:

curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
-d "tz=Europe/Rome" \
-d "a=gbl" \
-d "action=add" \
-d "ip=8.8.8.8"

Remove IP from Global Blacklist:
To remove an IPv4 or IPv6 address from blacklist, you must set the a parameter to gbl, the parameter action to del and the parameter ip to the IP that you want to remove from blacklist. For example:

curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
-d "tz=Europe/Rome" \
-d "a=gbl" \
-d "action=del" \
-d "ip=8.8.8.8"


Global Whitelist


Show whitelisted IP:
To get all IPv4 and IPv6 for each alias whitelist, you must set the a parameter to gwlshow. For example:

curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
-d "tz=Europe/Rome" \
-d "a=gwlshow"

Add IP to Global Whitelist:
To put an IPv4 or IPv6 address in whitelist, you must set the a parameter to gwl, the parameter action to add and the parameter ip to the IP that you want to put in whitelist. For example:

curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
-d "tz=Europe/Rome" \
-d "a=gwl" \
-d "action=add" \
-d "ip=8.8.8.8"

Remove IP from Global Whitelist:
To remove an IPv4 or IPv6 address from whitelist, you must set the a parameter to gwl, the parameter action to del and the parameter ip to the IP that you want to remove from whitelist. For example:

curl "https://secthemall.com/api/v1/" \
-d "username[email protected]" \
-d "apikey=`cat /opt/secthemall/inc/apikey`" \
-d "tz=Europe/Rome" \
-d "a=gwl" \
-d "action=del" \
-d "ip=8.8.8.8"


Examples


PHP using cURL functions:
This is an example using the PHP cURL functions. Please refer to the official PHP documentation by reading this: http://php.net/manual/en/book.curl.php

<?php

$postparams = [
	'username' => '[email protected]',
	'apikey' => 'abcdef123456789',
	'tz' => 'Europe/Rome',
	'a' => 'getlogs',
	'search' => 'ssh',
];

$curlopt = [
	CURLOPT_POST => 1,
	CURLOPT_HEADER => 0,
	CURLOPT_URL => "https://secthemall.com/api/v1/",
	CURLOPT_FRESH_CONNECT => 1,
	CURLOPT_RETURNTRANSFER => 1,
	CURLOPT_FORBID_REUSE => 1,
	CURLOPT_TIMEOUT => 4,
	CURLOPT_POSTFIELDS => http_build_query($postparams)
];

$ch = curl_init();
curl_setopt_array( $ch , $curlopt );
$result = curl_exec( $ch );
curl_close( $ch );

print_r( json_decode( $result , true ) );


?>

PHP using exec() function:
This is an example using the exec() PHP function. Please refer to the official documentation by reading this: http://php.net/manual/en/book.exec.php

<?php

$param = '-d "username[email protected]'.
	 '&apikey=abcdef1234567890'.
	 '&tz=Europe/Rome'.
	 '&a=getlogs'.
	 '&search=ssh';

if( isset( $res ) ) {
	unset( $res );
}

exec( 'curl -s '.$param.' "https://secthemall.com/api/v1/"' , $res );

$curloutput = implode( '' , $res );

$logs = json_decode( $curloutput , true );

print_r( $logs );

?>