With the evolution of networking and the ever-growing demand for networks to be secure, resilient and scalable, security information and event management (SIEM) platforms have become increasingly critical for large enterprises in terms of security, compliance, and automation. With SD-WAN at the forefront of the WAN transformation and VMware SD-WAN by VeloCloud a leader in the space, we have seen an increasing number of customers ask us about how our solution can integrate with various SIEM products. In this blog post we’ll provide an overview of the VMware SD-WAN Orchestrator (VCO) API and demonstrate how you can use the API to retrieve SD-WAN network event logs and output them directly into Splunk to be consumed.
How the VMware SD-WAN Orchestrator API Works
VMware SD-WAN Orchestrator is the management plane of the VMware SD-WAN solution and is used primary for configuration change and management, network and user policy enforcement, and analytics and troubleshooting. After a user is logged into their respective tenant on the VMware SD-WAN Orchestrator, all user interface functionalities on the VMware SD-WAN Orchestrator are API calls. The VMware SD-WAN Orchestrator API Reference for Release 3.2.2 is available on VMware {code} here: https://code.vmware.com/apis/556/velocloud-sdwan-vco-api. This resource outlines the most common methods, their parameters, and sample responses. We also have a set of SDKs for Python and Java developers to interact with the API and these can be provided upon request.
Making a call to the SD-WAN Orchestrator API requires two simple steps:
- Authenticate with the SD-WAN Orchestrator and retrieve an authentication key–make a /login/operatorLogin or /login/enterpriseLogin call to the API with your username and password. A successful authentication request will result in the Orchestrator responding with a response cookie named “velocloud.session”, which can then be used to make subsequent API calls as the authentication key.
- Make the desired API call using the previously stored velocloud.session cookie as a request cookie–this is usually a POST request to call certain methods such as /event/getEnterpriseEvents. The appropriate parameters may be required in the body depending on the type of API call.
Custom Splunk App
Because Splunk is the market leader in the SIEM space and has been widely adopted in the enterprise market, we are using Splunk Enterprise as an example to show how you can use the SD-WAN Orchestrator API to consume the event logs as syslog in Splunk for monitoring and alerting purposes. We have developed a custom Splunk app based on the open source Rest API Modular Input (Python-based) from Splunkbase. This custom app will reside on your Splunk server and local data inputs can be created that specify the relevant SD-WAN Orchestrator and the corresponding username and password for authentication. The custom app will then run as a cron job and periodically call the API to pull incremental events from the Orchestrator and deliver them directly to Splunk.
The app first authenticates with the SD-WAN Orchestrator using the user-provided username and password. Upon successful authentication, the app will make an API call using the /event/getEnterpriseEvents method to pull events for the last 60 minutes. It then sorts the events based on event time and pushes only the unique and incremental events to Splunk to be ingested. Due to the sample code only retrieving events in the last 60 minutes by default, the polling interval for the data input must be less than 60 minutes to ensure all events are captured.
This video shows how the custom app is easily integrated and configured in Splunk’s enterprise version. Contact your VMware SD-WAN sales engineer to get your copy of the guide: “Guide: Retrieving SD-WAN Event Logs with Splunk App.”
Enjoy and we welcome future code samples from you!