LightOS Log Configuration API v2

API for managing log collection targets, sources, and TLS bundles.

Authentication

Fields

Key	In
Authorization	Header

Observability Service

Log Collector Operations

GET

/api/v2/logs/collectors

GET

/api/v2/logs/collectors/{id}

List log collectors.

Return the last-known heartbeat and pipeline health state of all log collectors (Alloy instances). Note that log streaming is a tech preview.

Auth

GET /api/v2/logs/collectors

 
curl --get \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/collectors' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object	object
collectors	array[object]
id	string
lastSeen	string
alloyStatus	string	Enum: `ALLOY_UNSPECIFIED`,`ALLOY_ONLINE`,`ALLOY_STALE`,`ALLOY_OFFLINE` Default: ALLOY_UNSPECIFIED
configHash	string
remotecfgStatus	string	Enum: `REMOTECFG_UNSPECIFIED`,`REMOTECFG_UP`,`REMOTECFG_DOWN` Default: REMOTECFG_UNSPECIFIED
pipelineHealth	string	─── Collectors ────────────────────────────────────────────────────────────── PipelineHealth is the runtime health of the logging pipeline on one Alloy agent, derived by polling the Alloy HTTP API on a configurable cadence. DEGRADED covers component errors and runtime failures for a SUBSET of targets. ERROR means ALL configured exporters have active failures. UNKNOWN means the Alloy HTTP API was unreachable. UNSPECIFIED: never polled or address not yet known HEALTHY: all components healthy, no metric failures DEGRADED: unhealthy component, or some (not all) exporters failing UNKNOWN: Alloy HTTP API unreachable ERROR: all configured exporters are failing — no logs leaving the host Enum: `UNSPECIFIED`,`HEALTHY`,`DEGRADED`,`UNKNOWN`,`ERROR` Default: UNSPECIFIED
unhealthyComponents	array[object]
localId	string
name	string
state	string
message	string
updatedTime	string
pipelineCheckedAt	string
pipelineError	string
exporterSendFailedDelta	string
lokiDroppedEntriesDelta	string
failingExporters	array[string]
totalExporters	int32
exporterSendFailedTotal	string
exporterQueueSize	string

401

Unauthorized: authentication failed.

403

Permission denied.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "collectors": [  {   "id": "{string}",   "lastSeen": "{string}",   "alloyStatus": "{string}",   "configHash": "{string}",   "remotecfgStatus": "{string}",   "pipelineHealth": "{string}",   "unhealthyComponents": [    {     "localId": "{string}",     "name": "{string}",     "state": "{string}",     "message": "{string}",     "updatedTime": "{string}"    }   ],   "pipelineCheckedAt": "{string}",   "pipelineError": "{string}",   "exporterSendFailedDelta": "{string}",   "lokiDroppedEntriesDelta": "{string}",   "failingExporters": [    "{array[string]...}"   ],   "totalExporters": "{int32}",   "exporterSendFailedTotal": "{string}",   "exporterQueueSize": "{string}"  } ]}
Copy

Get log collector.

Return the last-known heartbeat and pipeline health state for a single log collector (Alloy instance). Note that log streaming is a tech preview.

Auth

Path Params

id string

GET /api/v2/logs/collectors/{id}

 
curl --get \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/collectors/{id}' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object	object
collector	object	CollectorStatus is the composite health view for one log collector (Alloy instance).
id	string
lastSeen	string
alloyStatus	string	Enum: `ALLOY_UNSPECIFIED`,`ALLOY_ONLINE`,`ALLOY_STALE`,`ALLOY_OFFLINE` Default: ALLOY_UNSPECIFIED
configHash	string
remotecfgStatus	string	Enum: `REMOTECFG_UNSPECIFIED`,`REMOTECFG_UP`,`REMOTECFG_DOWN` Default: REMOTECFG_UNSPECIFIED
pipelineHealth	string	─── Collectors ────────────────────────────────────────────────────────────── PipelineHealth is the runtime health of the logging pipeline on one Alloy agent, derived by polling the Alloy HTTP API on a configurable cadence. DEGRADED covers component errors and runtime failures for a SUBSET of targets. ERROR means ALL configured exporters have active failures. UNKNOWN means the Alloy HTTP API was unreachable. UNSPECIFIED: never polled or address not yet known HEALTHY: all components healthy, no metric failures DEGRADED: unhealthy component, or some (not all) exporters failing UNKNOWN: Alloy HTTP API unreachable ERROR: all configured exporters are failing — no logs leaving the host Enum: `UNSPECIFIED`,`HEALTHY`,`DEGRADED`,`UNKNOWN`,`ERROR` Default: UNSPECIFIED
unhealthyComponents	array[object]
localId	string
name	string
state	string
message	string
updatedTime	string
pipelineCheckedAt	string
pipelineError	string
exporterSendFailedDelta	string
lokiDroppedEntriesDelta	string
failingExporters	array[string]
totalExporters	int32
exporterSendFailedTotal	string
exporterQueueSize	string

401

Unauthorized: authentication failed.

403

Permission denied.

404

A log collector with the provided ID has not been seen on this cluster.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "collector": {  "id": "{string}",  "lastSeen": "{string}",  "alloyStatus": "{string}",  "configHash": "{string}",  "remotecfgStatus": "{string}",  "pipelineHealth": "{string}",  "unhealthyComponents": [   {    "localId": "{string}",    "name": "{string}",    "state": "{string}",    "message": "{string}",    "updatedTime": "{string}"   }  ],  "pipelineCheckedAt": "{string}",  "pipelineError": "{string}",  "exporterSendFailedDelta": "{string}",  "lokiDroppedEntriesDelta": "{string}",  "failingExporters": [   "{array[string]...}"  ],  "totalExporters": "{int32}",  "exporterSendFailedTotal": "{string}",  "exporterQueueSize": "{string}" }}
Copy

Log Source Operations

/api/v2/logs/sources/{name}

DELETE

/api/v2/logs/sources/{name}

PUT

/api/v2/logs/sources/{source.name}

List log sources.

Return all configured log collection sources. Note that log streaming is a tech preview.

Auth

GET /api/v2/logs/sources

 
curl --get \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/sources' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object	object
sources	array[object]
name	string
enabled	boolean
logFormat	string	Enum: `LOG_FORMAT_UNSPECIFIED`,`ZAP_JSON`,`LOGFMT`,`DUROSLIGHT_TEXT`,`GFTL_TEXT`,`UNSTRUCTURED` Default: LOG_FORMAT_UNSPECIFIED
minLevel	string	Enum: `UNSPECIFIED`,`DEBUG`,`INFO`,`WARN`,`ERROR` Default: UNSPECIFIED
journald	object
syslogIdentifier	string
file	object
paths	array[string]
labels	object
*	string

401

Unauthorized: authentication failed.

403

Permission denied.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "sources": [  {   "name": "{string}",   "enabled": "{boolean}",   "logFormat": "{string}",   "minLevel": "{string}",   "journald": {    "syslogIdentifier": "{string}"   },   "file": {    "paths": [     "{array[string]...}"    ],    "labels": {}   }  } ]}
Copy

Create log source.

Register a new log collection point. A source can be a systemd journal unit (journald) or a set of file paths. The log_format field determines how raw log lines are parsed before forwarding; for well-known service names a default format is applied automatically if log_format is omitted. Note that log streaming is a tech preview.

Auth

Request Body application/json

object	object
name	string
enabled	boolean
logFormat	string	Enum: `LOG_FORMAT_UNSPECIFIED`,`ZAP_JSON`,`LOGFMT`,`DUROSLIGHT_TEXT`,`GFTL_TEXT`,`UNSTRUCTURED` Default: LOG_FORMAT_UNSPECIFIED
minLevel	string	Enum: `UNSPECIFIED`,`DEBUG`,`INFO`,`WARN`,`ERROR` Default: UNSPECIFIED
journald	object
syslogIdentifier	string
file	object
paths	array[string]
labels	object
*	string

POST /api/v2/logs/sources

 
curl --request POST \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/sources' \ --header 'Authorization: {Authorization}' \ --data '{  "name": "{string}",  "enabled": "{boolean}",  "logFormat": "{string}",  "minLevel": "{string}",  "journald": {    "syslogIdentifier": "{string}"  },  "file": {    "paths": [      "{array[string]...}"    ],    "labels": {}  }}'
Copy

Responses application/json

200

A successful response.

object	object
source	object
name	string
enabled	boolean
logFormat	string	Enum: `LOG_FORMAT_UNSPECIFIED`,`ZAP_JSON`,`LOGFMT`,`DUROSLIGHT_TEXT`,`GFTL_TEXT`,`UNSTRUCTURED` Default: LOG_FORMAT_UNSPECIFIED
minLevel	string	Enum: `UNSPECIFIED`,`DEBUG`,`INFO`,`WARN`,`ERROR` Default: UNSPECIFIED
journald	object
syslogIdentifier	string
file	object
paths	array[string]
labels	object
*	string

400

An invalid argument was provided: source.name is missing, no journald or file config was supplied, or log_format is unknown and no default is registered for this source.

401

Unauthorized: authentication failed.

403

Permission denied.

409

A log source with the provided name already exists.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "source": {  "name": "{string}",  "enabled": "{boolean}",  "logFormat": "{string}",  "minLevel": "{string}",  "journald": {   "syslogIdentifier": "{string}"  },  "file": {   "paths": [    "{array[string]...}"   ],   "labels": {}  } }}
Copy

Get log source.

Retrieve the configuration of a log source by name. Note that log streaming is a tech preview.

Auth

Path Params

name string

GET /api/v2/logs/sources/{name}

 
curl --get \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/sources/{name}' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object	object
source	object
name	string
enabled	boolean
logFormat	string	Enum: `LOG_FORMAT_UNSPECIFIED`,`ZAP_JSON`,`LOGFMT`,`DUROSLIGHT_TEXT`,`GFTL_TEXT`,`UNSTRUCTURED` Default: LOG_FORMAT_UNSPECIFIED
minLevel	string	Enum: `UNSPECIFIED`,`DEBUG`,`INFO`,`WARN`,`ERROR` Default: UNSPECIFIED
journald	object
syslogIdentifier	string
file	object
paths	array[string]
labels	object
*	string

401

Unauthorized: authentication failed.

403

Permission denied.

404

A log source with the provided name does not exist.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "source": {  "name": "{string}",  "enabled": "{boolean}",  "logFormat": "{string}",  "minLevel": "{string}",  "journald": {   "syslogIdentifier": "{string}"  },  "file": {   "paths": [    "{array[string]...}"   ],   "labels": {}  } }}
Copy

Delete log source.

Remove a log source by name. If the source does not exist the call succeeds and the response field deleted is false. Note that log streaming is a tech preview.

Auth

Path Params

name string

DELETE /api/v2/logs/sources/{name}

 
curl --request DELETE \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/sources/{name}' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object	object
deleted	boolean	True if the source existed and was removed; false if it was already absent.

401

Unauthorized: authentication failed.

403

Permission denied.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "deleted": "{boolean}"}
Copy

Update log source.

Modify an existing log source. All fields provided in the request replace the existing values for those fields. Note that log streaming is a tech preview.

Auth

Path Params

source.name string

Request Body application/json

object	object
enabled	boolean
logFormat	string	Enum: `LOG_FORMAT_UNSPECIFIED`,`ZAP_JSON`,`LOGFMT`,`DUROSLIGHT_TEXT`,`GFTL_TEXT`,`UNSTRUCTURED` Default: LOG_FORMAT_UNSPECIFIED
minLevel	string	Enum: `UNSPECIFIED`,`DEBUG`,`INFO`,`WARN`,`ERROR` Default: UNSPECIFIED
journald	object
syslogIdentifier	string
file	object
paths	array[string]
labels	object
*	string

PUT /api/v2/logs/sources/{source.name}

 
curl --request PUT \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/sources/{source.name}' \ --header 'Authorization: {Authorization}' \ --data '{  "enabled": "{boolean}",  "logFormat": "{string}",  "minLevel": "{string}",  "journald": {    "syslogIdentifier": "{string}"  },  "file": {    "paths": [      "{array[string]...}"    ],    "labels": {}  }}'
Copy

Responses application/json

200

A successful response.

object	object
source	object
name	string
enabled	boolean
logFormat	string	Enum: `LOG_FORMAT_UNSPECIFIED`,`ZAP_JSON`,`LOGFMT`,`DUROSLIGHT_TEXT`,`GFTL_TEXT`,`UNSTRUCTURED` Default: LOG_FORMAT_UNSPECIFIED
minLevel	string	Enum: `UNSPECIFIED`,`DEBUG`,`INFO`,`WARN`,`ERROR` Default: UNSPECIFIED
journald	object
syslogIdentifier	string
file	object
paths	array[string]
labels	object
*	string

400

An invalid argument was provided: source.name is missing, no journald or file config was supplied, or log_format is unknown.

401

Unauthorized: authentication failed.

403

Permission denied.

404

A log source with the provided name does not exist.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "source": {  "name": "{string}",  "enabled": "{boolean}",  "logFormat": "{string}",  "minLevel": "{string}",  "journald": {   "syslogIdentifier": "{string}"  },  "file": {   "paths": [    "{array[string]...}"   ],   "labels": {}  } }}
Copy

Log Target Operations

/api/v2/logs/targets/{name}

DELETE

/api/v2/logs/targets/{name}

PUT

/api/v2/logs/targets/{target.name}

List log forwarding targets.

Return all configured log forwarding targets. Note that log streaming is a tech preview.

Auth

GET /api/v2/logs/targets

 
curl --get \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/targets' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object	object
targets	array[object]
name	string
type	string	Enum: `TYPE_UNSPECIFIED`,`LOKI`,`RSYSLOG` Default: TYPE_UNSPECIFIED
enabled	boolean
loki	object
url	string
username	string
password	string
tlsBundle	string	Name of a TLSBundle. When set, overrides basic auth with TLS.
rsyslog	object
endpoint	string
port	int32
timeout	string	Go duration string (e.g. "5s", "30s", "1m"). Defaults to "5s" when empty. Alloy passes this directly to otelcol.exporter.syslog timeout (default "5s"). Must be a positive duration (> 0); a zero or negative timeout is rejected.
debug	boolean
tlsBundle	string	Name of a TLSBundle. When empty, connection is plain TCP (no TLS).

401

Unauthorized: authentication failed.

403

Permission denied.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "targets": [  {   "name": "{string}",   "type": "{string}",   "enabled": "{boolean}",   "loki": {    "url": "{string}",    "username": "{string}",    "password": "{string}",    "tlsBundle": "{string}"   },   "rsyslog": {    "endpoint": "{string}",    "port": "{int32}",    "timeout": "{string}",    "debug": "{boolean}",    "tlsBundle": "{string}"   }  } ]}
Copy

Create log forwarding target.

Register a new log forwarding destination. A target can be a Loki endpoint or an rsyslog receiver. Once created, enable it and create log sources to start forwarding. Note that log streaming is a tech preview.

Auth

Request Body application/json

object	object
name	string
type	string	Enum: `TYPE_UNSPECIFIED`,`LOKI`,`RSYSLOG` Default: TYPE_UNSPECIFIED
enabled	boolean
loki	object
url	string
username	string
password	string
tlsBundle	string	Name of a TLSBundle. When set, overrides basic auth with TLS.
rsyslog	object
endpoint	string
port	int32
timeout	string	Go duration string (e.g. "5s", "30s", "1m"). Defaults to "5s" when empty. Alloy passes this directly to otelcol.exporter.syslog timeout (default "5s"). Must be a positive duration (> 0); a zero or negative timeout is rejected.
debug	boolean
tlsBundle	string	Name of a TLSBundle. When empty, connection is plain TCP (no TLS).

POST /api/v2/logs/targets

 
curl --request POST \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/targets' \ --header 'Authorization: {Authorization}' \ --data '{  "name": "{string}",  "type": "{string}",  "enabled": "{boolean}",  "loki": {    "url": "{string}",    "username": "{string}",    "password": "{string}",    "tlsBundle": "{string}"  },  "rsyslog": {    "endpoint": "{string}",    "port": "{int32}",    "timeout": "{string}",    "debug": "{boolean}",    "tlsBundle": "{string}"  }}'
Copy

Responses application/json

200

A successful response.

object	object
target	object
name	string
type	string	Enum: `TYPE_UNSPECIFIED`,`LOKI`,`RSYSLOG` Default: TYPE_UNSPECIFIED
enabled	boolean
loki	object
url	string
username	string
password	string
tlsBundle	string	Name of a TLSBundle. When set, overrides basic auth with TLS.
rsyslog	object
endpoint	string
port	int32
timeout	string	Go duration string (e.g. "5s", "30s", "1m"). Defaults to "5s" when empty. Alloy passes this directly to otelcol.exporter.syslog timeout (default "5s"). Must be a positive duration (> 0); a zero or negative timeout is rejected.
debug	boolean
tlsBundle	string	Name of a TLSBundle. When empty, connection is plain TCP (no TLS).

400

An invalid argument was provided: target.name is missing, target.type is unspecified, the rsyslog timeout is not a valid duration, or the referenced TLS bundle does not exist.

401

Unauthorized: authentication failed.

403

Permission denied.

409

A log forwarding target with the provided name already exists.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "target": {  "name": "{string}",  "type": "{string}",  "enabled": "{boolean}",  "loki": {   "url": "{string}",   "username": "{string}",   "password": "{string}",   "tlsBundle": "{string}"  },  "rsyslog": {   "endpoint": "{string}",   "port": "{int32}",   "timeout": "{string}",   "debug": "{boolean}",   "tlsBundle": "{string}"  } }}
Copy

Get log forwarding target.

Retrieve the configuration of a log forwarding target by name. Note that log streaming is a tech preview.

Auth

Path Params

name string

GET /api/v2/logs/targets/{name}

 
curl --get \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/targets/{name}' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object	object
target	object
name	string
type	string	Enum: `TYPE_UNSPECIFIED`,`LOKI`,`RSYSLOG` Default: TYPE_UNSPECIFIED
enabled	boolean
loki	object
url	string
username	string
password	string
tlsBundle	string	Name of a TLSBundle. When set, overrides basic auth with TLS.
rsyslog	object
endpoint	string
port	int32
timeout	string	Go duration string (e.g. "5s", "30s", "1m"). Defaults to "5s" when empty. Alloy passes this directly to otelcol.exporter.syslog timeout (default "5s"). Must be a positive duration (> 0); a zero or negative timeout is rejected.
debug	boolean
tlsBundle	string	Name of a TLSBundle. When empty, connection is plain TCP (no TLS).

401

Unauthorized: authentication failed.

403

Permission denied.

404

A log forwarding target with the provided name does not exist.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "target": {  "name": "{string}",  "type": "{string}",  "enabled": "{boolean}",  "loki": {   "url": "{string}",   "username": "{string}",   "password": "{string}",   "tlsBundle": "{string}"  },  "rsyslog": {   "endpoint": "{string}",   "port": "{int32}",   "timeout": "{string}",   "debug": "{boolean}",   "tlsBundle": "{string}"  } }}
Copy

Delete log forwarding target.

Remove a log forwarding target by name. If the target does not exist the call succeeds and the response field deleted is false. Note that log streaming is a tech preview.

Auth

Path Params

name string

DELETE /api/v2/logs/targets/{name}

 
curl --request DELETE \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/targets/{name}' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object	object
deleted	boolean	True if the target existed and was removed; false if it was already absent.

401

Unauthorized: authentication failed.

403

Permission denied.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "deleted": "{boolean}"}
Copy

Update log forwarding target.

Modify an existing log forwarding target. All fields provided in the request replace the existing values for those fields. Note that log streaming is a tech preview.

Auth

Path Params

target.name string

Request Body application/json

object	object
type	string	Enum: `TYPE_UNSPECIFIED`,`LOKI`,`RSYSLOG` Default: TYPE_UNSPECIFIED
enabled	boolean
loki	object
url	string
username	string
password	string
tlsBundle	string	Name of a TLSBundle. When set, overrides basic auth with TLS.
rsyslog	object
endpoint	string
port	int32
timeout	string	Go duration string (e.g. "5s", "30s", "1m"). Defaults to "5s" when empty. Alloy passes this directly to otelcol.exporter.syslog timeout (default "5s"). Must be a positive duration (> 0); a zero or negative timeout is rejected.
debug	boolean
tlsBundle	string	Name of a TLSBundle. When empty, connection is plain TCP (no TLS).

PUT /api/v2/logs/targets/{target.name}

 
curl --request PUT \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/targets/{target.name}' \ --header 'Authorization: {Authorization}' \ --data '{  "type": "{string}",  "enabled": "{boolean}",  "loki": {    "url": "{string}",    "username": "{string}",    "password": "{string}",    "tlsBundle": "{string}"  },  "rsyslog": {    "endpoint": "{string}",    "port": "{int32}",    "timeout": "{string}",    "debug": "{boolean}",    "tlsBundle": "{string}"  }}'
Copy

Responses application/json

200

A successful response.

object	object
target	object
name	string
type	string	Enum: `TYPE_UNSPECIFIED`,`LOKI`,`RSYSLOG` Default: TYPE_UNSPECIFIED
enabled	boolean
loki	object
url	string
username	string
password	string
tlsBundle	string	Name of a TLSBundle. When set, overrides basic auth with TLS.
rsyslog	object
endpoint	string
port	int32
timeout	string	Go duration string (e.g. "5s", "30s", "1m"). Defaults to "5s" when empty. Alloy passes this directly to otelcol.exporter.syslog timeout (default "5s"). Must be a positive duration (> 0); a zero or negative timeout is rejected.
debug	boolean
tlsBundle	string	Name of a TLSBundle. When empty, connection is plain TCP (no TLS).

400

An invalid argument was provided: target.name is missing, target.type is unspecified, the rsyslog timeout is not a valid duration, or the referenced TLS bundle does not exist.

401

Unauthorized: authentication failed.

403

Permission denied.

404

A log forwarding target with the provided name does not exist.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "target": {  "name": "{string}",  "type": "{string}",  "enabled": "{boolean}",  "loki": {   "url": "{string}",   "username": "{string}",   "password": "{string}",   "tlsBundle": "{string}"  },  "rsyslog": {   "endpoint": "{string}",   "port": "{int32}",   "timeout": "{string}",   "debug": "{boolean}",   "tlsBundle": "{string}"  } }}
Copy

Log Tls Bundle Operations

GET

/api/v2/logs/tls-bundles

POST

/api/v2/logs/tls-bundles

PUT

/api/v2/logs/tls-bundles/{bundle.name}

GET

/api/v2/logs/tls-bundles/{name}

DELETE

/api/v2/logs/tls-bundles/{name}

List TLS bundles.

Return all stored TLS bundles. The key_pem field is redacted in list responses (shown as "" when a key is present); use GetTLSBundle to retrieve the full key material. Note that log streaming is a tech preview.

Auth

GET /api/v2/logs/tls-bundles

 
curl --get \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/tls-bundles' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object	object
bundles	array[object]
name	string	Stable name used as the etcd key and referenced from target configs.
caPem	string	PEM-encoded CA certificate (required). Used to verify the remote server.
certPem	string	PEM-encoded client certificate (optional). Present = mTLS mode.
keyPem	string	PEM-encoded client private key (optional). Present = mTLS mode. Stored AES-256-GCM encrypted in etcd when TLS_BUNDLE_KEY is configured.

401

Unauthorized: authentication failed.

403

Permission denied.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "bundles": [  {   "name": "{string}",   "caPem": "{string}",   "certPem": "{string}",   "keyPem": "{string}"  } ]}
Copy

Create TLS bundle.

Store a named set of PEM-encoded certificate material (CA, optional client cert/key) used by log forwarding targets to authenticate TLS connections. When TLS_BUNDLE_KEY is configured on api-service, key_pem is AES-256-GCM encrypted before being written to etcd. Note that log streaming is a tech preview.

Auth

Request Body application/json

object	object
name	string	Stable name used as the etcd key and referenced from target configs.
caPem	string	PEM-encoded CA certificate (required). Used to verify the remote server.
certPem	string	PEM-encoded client certificate (optional). Present = mTLS mode.
keyPem	string	PEM-encoded client private key (optional). Present = mTLS mode. Stored AES-256-GCM encrypted in etcd when TLS_BUNDLE_KEY is configured.

POST /api/v2/logs/tls-bundles

 
curl --request POST \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/tls-bundles' \ --header 'Authorization: {Authorization}' \ --data '{  "name": "{string}",  "caPem": "{string}",  "certPem": "{string}",  "keyPem": "{string}"}'
Copy

Responses application/json

200

A successful response.

object	object
bundle	object
name	string	Stable name used as the etcd key and referenced from target configs.
caPem	string	PEM-encoded CA certificate (required). Used to verify the remote server.
certPem	string	PEM-encoded client certificate (optional). Present = mTLS mode.
keyPem	string	PEM-encoded client private key (optional). Present = mTLS mode. Stored AES-256-GCM encrypted in etcd when TLS_BUNDLE_KEY is configured.

400

An invalid argument was provided: bundle.name or bundle.ca_pem is missing.

401

Unauthorized: authentication failed.

403

Permission denied.

409

A TLS bundle with the provided name already exists.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "bundle": {  "name": "{string}",  "caPem": "{string}",  "certPem": "{string}",  "keyPem": "{string}" }}
Copy

Update TLS bundle.

Replace the certificate material of an existing TLS bundle. The bundle must already exist; use CreateTLSBundle to add a new one. All PEM fields (ca_pem, cert_pem, key_pem) are fully replaced by the values provided in this request. Note that log streaming is a tech preview.

Auth

Path Params

bundle.name

string

Stable name used as the etcd key and referenced from target configs.

Request Body application/json

object	object
caPem	string	PEM-encoded CA certificate (required). Used to verify the remote server.
certPem	string	PEM-encoded client certificate (optional). Present = mTLS mode.
keyPem	string	PEM-encoded client private key (optional). Present = mTLS mode. Stored AES-256-GCM encrypted in etcd when TLS_BUNDLE_KEY is configured.

PUT /api/v2/logs/tls-bundles/{bundle.name}

 
curl --request PUT \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/tls-bundles/{bundle.name}' \ --header 'Authorization: {Authorization}' \ --data '{  "caPem": "{string}",  "certPem": "{string}",  "keyPem": "{string}"}'
Copy

Responses application/json

200

A successful response.

object	object
bundle	object
name	string	Stable name used as the etcd key and referenced from target configs.
caPem	string	PEM-encoded CA certificate (required). Used to verify the remote server.
certPem	string	PEM-encoded client certificate (optional). Present = mTLS mode.
keyPem	string	PEM-encoded client private key (optional). Present = mTLS mode. Stored AES-256-GCM encrypted in etcd when TLS_BUNDLE_KEY is configured.

400

An invalid argument was provided: bundle.name or bundle.ca_pem is missing.

401

Unauthorized: authentication failed.

403

Permission denied.

404

A TLS bundle with the provided name does not exist.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "bundle": {  "name": "{string}",  "caPem": "{string}",  "certPem": "{string}",  "keyPem": "{string}" }}
Copy

Get TLS bundle.

Retrieve a TLS bundle by name, including the decrypted key_pem if one was stored. Use ListTLSBundles to enumerate all bundles (key_pem is redacted in list responses). Note that log streaming is a tech preview.

Auth

Path Params

name string

GET /api/v2/logs/tls-bundles/{name}

 
curl --get \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/tls-bundles/{name}' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object	object
bundle	object
name	string	Stable name used as the etcd key and referenced from target configs.
caPem	string	PEM-encoded CA certificate (required). Used to verify the remote server.
certPem	string	PEM-encoded client certificate (optional). Present = mTLS mode.
keyPem	string	PEM-encoded client private key (optional). Present = mTLS mode. Stored AES-256-GCM encrypted in etcd when TLS_BUNDLE_KEY is configured.

401

Unauthorized: authentication failed.

403

Permission denied.

404

A TLS bundle with the provided name does not exist.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{ "bundle": {  "name": "{string}",  "caPem": "{string}",  "certPem": "{string}",  "keyPem": "{string}" }}
Copy

Delete TLS bundle.

Remove a TLS bundle by name. Deletion is refused if any log forwarding target still references the bundle; remove or update those targets first. Note that log streaming is a tech preview.

Auth

Path Params

name string

DELETE /api/v2/logs/tls-bundles/{name}

 
curl --request DELETE \ --url 'https://documentation.lightbitslabs.com/api/v2/logs/tls-bundles/{name}' \ --header 'Authorization: {Authorization}'
Copy

Responses application/json

200

A successful response.

object object

400

The TLS bundle is still referenced by one or more log forwarding targets.

401

Unauthorized: authentication failed.

403

Permission denied.

500

Internal Lightbits error.

default

An unexpected error response.

Response

 
{}
Copy