SIEM Endpoints
Manage SIEM integration and event forwarding.
Pro Feature
SIEM endpoints require a Pro license.
Get SIEM Settings
Get SIEM integration configuration.
GET /api/v1/siem/settings
Response
Success (200):
{
"enabled": true,
"format": "syslog",
"host": "siem.example.com",
"port": 514,
"protocol": "tcp",
"tls_enabled": false,
"events": ["ban", "unban", "server_offline", "login_failed"],
"min_severity": 1,
"batch_size": 100,
"flush_interval": 30
}
Update SIEM Settings
Update SIEM integration configuration.
PATCH /api/v1/siem/settings
Request Body
{
"enabled": true,
"format": "syslog",
"host": "siem.example.com",
"port": 514,
"protocol": "tcp",
"events": ["ban", "unban", "server_offline"]
}
Supported Formats
| Format | Description |
|---|---|
syslog | RFC 5424 Syslog |
cef | Common Event Format |
leef | Log Event Extended Format |
json | JSON over HTTP |
splunk | Splunk HEC |
Response
Success (200):
{
"message": "SIEM settings updated"
}
Test SIEM Connection
Send a test event to SIEM.
POST /api/v1/siem/test
Response
Success (200):
{
"message": "Test event sent successfully",
"event_id": "test-abc123"
}
Failed (400):
{
"error": "Connection failed",
"message": "Could not connect to siem.example.com:514"
}
Get SIEM Status
Get current SIEM integration status.
GET /api/v1/siem/status
Response
Success (200):
{
"enabled": true,
"connected": true,
"queue_size": 0,
"events_sent_today": 1523,
"events_failed_today": 2,
"last_event": "2024-01-15T10:30:00Z",
"last_error": null,
"uptime_percent": 99.9
}
Get Event Queue
Get events currently in the queue.
GET /api/v1/siem/queue
Query Parameters
| Parameter | Type | Description |
|---|---|---|
limit | integer | Max events to return (default: 100) |
Response
Success (200):
{
"queue_size": 5,
"events": [
{
"id": "evt-abc123",
"type": "ban",
"created_at": "2024-01-15T10:30:00Z",
"retry_count": 0
}
]
}
Flush Event Queue
Immediately send all queued events.
POST /api/v1/siem/flush
Response
Success (200):
{
"message": "Queue flushed",
"events_sent": 5,
"events_failed": 0
}
Clear Event Queue
Clear all events from the queue (discard).
DELETE /api/v1/siem/queue
Response
Success (200):
{
"message": "Queue cleared",
"events_discarded": 5
}
Get Event Statistics
Get SIEM event statistics.
GET /api/v1/siem/stats
Query Parameters
| Parameter | Type | Description |
|---|---|---|
period | string | day, week, month |
Response
Success (200):
{
"period": "day",
"total_events": 5420,
"by_type": {
"ban": 3500,
"unban": 1200,
"server_offline": 50,
"login_success": 500,
"login_failed": 170
},
"by_hour": [
{ "hour": 0, "count": 180 },
{ "hour": 1, "count": 165 }
],
"delivery_stats": {
"sent": 5400,
"failed": 20,
"retried": 15,
"success_rate": 99.6
}
}
Get Event Types
Get available event types for filtering.
GET /api/v1/siem/event-types
Response
Success (200):
{
"event_types": [
{
"id": "ban",
"name": "IP Banned",
"description": "Triggered when an IP is banned",
"default_severity": 5
},
{
"id": "unban",
"name": "IP Unbanned",
"description": "Triggered when an IP is unbanned",
"default_severity": 2
},
{
"id": "server_offline",
"name": "Server Offline",
"description": "Triggered when a server goes offline",
"default_severity": 8
},
{
"id": "login_success",
"name": "Login Success",
"description": "Successful dashboard login",
"default_severity": 1
},
{
"id": "login_failed",
"name": "Login Failed",
"description": "Failed dashboard login attempt",
"default_severity": 6
},
{
"id": "whitelist_add",
"name": "Whitelist Add",
"description": "IP added to whitelist",
"default_severity": 3
},
{
"id": "whitelist_remove",
"name": "Whitelist Remove",
"description": "IP removed from whitelist",
"default_severity": 3
},
{
"id": "settings_change",
"name": "Settings Change",
"description": "System settings modified",
"default_severity": 4
}
]
}
Replay Events
Replay historical events to SIEM.
POST /api/v1/siem/replay
Request Body
{
"from": "2024-01-14T00:00:00Z",
"to": "2024-01-15T00:00:00Z",
"event_types": ["ban", "unban"]
}
Response
Success (200):
{
"message": "Replay started",
"events_to_replay": 1523,
"job_id": "replay-abc123"
}
Get Replay Status
Check status of a replay job.
GET /api/v1/siem/replay/{jobId}
Response
Success (200):
{
"job_id": "replay-abc123",
"status": "running",
"total_events": 1523,
"events_sent": 800,
"events_failed": 2,
"progress_percent": 52.5,
"started_at": "2024-01-15T10:30:00Z"
}