SIEM Integration
Connect Bloqd to your Security Information and Event Management system for centralized security monitoring.
Pro Feature
SIEM Integration requires a Pro license.
Overview
SIEM integration allows you to:
- Forward security events to your SIEM
- Correlate fail2ban events with other security data
- Create unified security dashboards
- Trigger automated responses
- Meet compliance requirements
Supported Formats
| Format | Description |
|---|---|
| Syslog | RFC 5424 format over TCP/UDP |
| CEF | Common Event Format (ArcSight) |
| LEEF | Log Event Extended Format (QRadar) |
| JSON | Generic JSON over HTTP/S |
| Splunk HEC | Splunk HTTP Event Collector |
Setup
Enable SIEM
- Go to Settings → SIEM
- Enable SIEM integration
- Select output format
- Configure destination
- Test connection
- Save
Or via environment:
SIEM_ENABLED=true
SIEM_FORMAT=syslog
SIEM_HOST=siem.example.com
SIEM_PORT=514
SIEM_PROTOCOL=tcp
Configuration Options
Syslog
SIEM_FORMAT=syslog
SIEM_HOST=siem.example.com
SIEM_PORT=514
SIEM_PROTOCOL=tcp # tcp, udp, or tls
SIEM_FACILITY=local0
SIEM_APP_NAME=bloqd
CEF (ArcSight)
SIEM_FORMAT=cef
SIEM_HOST=arcsight.example.com
SIEM_PORT=514
SIEM_CEF_VENDOR=Bloqd
SIEM_CEF_PRODUCT=BloqdDashboard
SIEM_CEF_VERSION=1.0
LEEF (QRadar)
SIEM_FORMAT=leef
SIEM_HOST=qradar.example.com
SIEM_PORT=514
JSON/HTTP
SIEM_FORMAT=json
SIEM_URL=https://siem.example.com/api/events
SIEM_API_KEY=your_api_key
SIEM_BATCH_SIZE=100
SIEM_FLUSH_INTERVAL=30
Splunk HEC
SIEM_FORMAT=splunk
SIEM_URL=https://splunk.example.com:8088
SIEM_HEC_TOKEN=your_hec_token
SIEM_INDEX=security
SIEM_SOURCE=bloqd
SIEM_SOURCETYPE=bloqd:events
Event Types
Ban Events
Sent when an IP is banned:
{
"event_type": "ban",
"timestamp": "2024-01-15T10:30:00Z",
"server": "web-server-01",
"jail": "sshd",
"ip": "192.168.1.100",
"country": "CN",
"asn": "AS4134",
"log_lines": "Failed password for root from 192.168.1.100"
}
CEF Format:
CEF:0|Bloqd|BloqdDashboard|1.0|ban|IP Banned|5|src=192.168.1.100 dhost=web-server-01 cs1=sshd cs1Label=Jail
Unban Events
Sent when an IP is unbanned:
{
"event_type": "unban",
"timestamp": "2024-01-15T11:30:00Z",
"server": "web-server-01",
"jail": "sshd",
"ip": "192.168.1.100",
"reason": "ban_expired"
}
Server Events
Server connectivity changes:
{
"event_type": "server_offline",
"timestamp": "2024-01-15T10:00:00Z",
"server": "web-server-01",
"last_seen": "2024-01-15T09:55:00Z"
}
Authentication Events
Login attempts and changes:
{
"event_type": "login_success",
"timestamp": "2024-01-15T10:00:00Z",
"user": "admin",
"ip": "10.0.0.1",
"method": "password"
}
Whitelist Events
Whitelist modifications:
{
"event_type": "whitelist_add",
"timestamp": "2024-01-15T10:00:00Z",
"ip": "10.0.0.0/8",
"user": "admin",
"reason": "Internal network"
}
Event Filtering
Control which events are forwarded:
# Only send specific event types
SIEM_EVENTS=ban,unban,server_offline,login_failed
# Minimum severity (1-10)
SIEM_MIN_SEVERITY=5
# Exclude specific jails
SIEM_EXCLUDE_JAILS=test-jail
Or in dashboard:
- Go to Settings → SIEM → Filters
- Select event types to forward
- Set severity threshold
- Configure exclusions
Enrichment
Events can be enriched with additional data:
| Field | Description |
|---|---|
geo.country | Country code |
geo.city | City name |
geo.lat/lon | Coordinates |
asn.number | AS number |
asn.org | Organization |
reputation | AbuseIPDB score |
Enable enrichment:
SIEM_ENRICHMENT=true
SIEM_ENRICH_GEO=true
SIEM_ENRICH_ASN=true
SIEM_ENRICH_REPUTATION=true
Delivery Options
Batching
Group events for efficiency:
SIEM_BATCH_SIZE=100 # Events per batch
SIEM_FLUSH_INTERVAL=30 # Seconds between flushes
Retry Logic
Handle delivery failures:
SIEM_RETRY_COUNT=3
SIEM_RETRY_DELAY=5 # Seconds between retries
SIEM_QUEUE_SIZE=10000 # Max queued events
TLS/SSL
Secure transport:
SIEM_PROTOCOL=tls
SIEM_TLS_VERIFY=true
SIEM_TLS_CA=/path/to/ca.crt
SIEM_TLS_CERT=/path/to/client.crt
SIEM_TLS_KEY=/path/to/client.key
Testing
Test Connection
- Go to Settings → SIEM
- Click Test Connection
- Verify event received in SIEM
Manual Test Event
curl -X POST "https://bloqd.example.com/api/v1/siem/test" \
-H "Authorization: Bearer YOUR_API_KEY"
View Queue Status
curl "https://bloqd.example.com/api/v1/siem/status" \
-H "Authorization: Bearer YOUR_API_KEY"
Response:
{
"enabled": true,
"connected": true,
"queue_size": 0,
"events_sent_today": 1523,
"last_event": "2024-01-15T10:30:00Z"
}
SIEM-Specific Guides
Splunk
- Create HEC token in Splunk
- Configure Bloqd:
SIEM_FORMAT=splunk
SIEM_URL=https://splunk:8088
SIEM_HEC_TOKEN=your-token
SIEM_INDEX=security - Create Splunk dashboard for Bloqd events
Elastic/ELK
- Configure Logstash or use Elasticsearch HTTP input
- Configure Bloqd:
SIEM_FORMAT=json
SIEM_URL=https://elastic:9200/bloqd-events/_doc
SIEM_API_KEY=base64_encoded_key - Create Kibana visualizations
QRadar
- Configure log source in QRadar
- Configure Bloqd:
SIEM_FORMAT=leef
SIEM_HOST=qradar.example.com
SIEM_PORT=514 - Create QRadar rules for Bloqd events
Azure Sentinel
- Configure Log Analytics workspace
- Configure Bloqd:
SIEM_FORMAT=json
SIEM_URL=https://xxx.ods.opinsights.azure.com/api/logs
SIEM_AZURE_WORKSPACE_ID=workspace-id
SIEM_AZURE_SHARED_KEY=shared-key
Troubleshooting
Events Not Arriving
- Verify SIEM enabled
- Check network connectivity to SIEM
- Verify credentials/tokens
- Check queue status for errors
- Review Bloqd logs
Connection Refused
- Verify host and port
- Check firewall rules
- Verify TLS settings if using SSL
Events Delayed
- Check batch settings
- Reduce flush interval
- Verify network latency
- Check SIEM ingestion rate
Best Practices
- Use TLS - Encrypt events in transit
- Filter appropriately - Don't overwhelm SIEM
- Monitor queue - Ensure events are delivered
- Test regularly - Verify integration works
- Document mapping - Know how fields map to your SIEM
- Set up alerts - Create SIEM alerts for critical events