Sie zeigen eine alte Version dieser Seite an. Zeigen Sie die aktuelle Version an.

Unterschiede anzeigen Seitenhistorie anzeigen

« Vorherige Version anzeigen Version 4 Nächste Version anzeigen »


Description:

SIEM (Security Information and Event Management) dient dazu, Bedrohungen im Netzwerk in Echtzeit zu erkennen und geeignete Gegenmaßnahmen zu ergreifen. Dazu sammelt das SIEM-System Logs von Netzwerk-Komponenten und wertet diese aus.

In diesem Artikel wird beschrieben, wie SIEM mit LANCOM R&S®Unified Firewalls in der LMC verwendet werden kann.

Requirements:

  • Ihre LANCOM Unified Firewall muss durch die LMC verwaltet werden
    • Die Unified Firewall muss einem Standort zugewiesen sein
    • Die Unified Firewall muss im Modus Gateway sein 
  • Zugang zur LMC zur Aktualisierung der Unified Firewall und Rollout der Konfiguration
  • LCOS FX ab Version 10.13 Rel (download aktuelle Version)
  • Bereits konfiguriertes und funktionsfähiges SIEM-System

Procedure:

1) Activate SIEM support in the LMC:

SIEM support is activated in your LMC project by LANCOM Systems at your request. 

Send an activation request for SIEM support to LANCOM Support and enclose your Project ID.

You can find the Project ID in the LMC menu Management → Properties.



2) Provide IDPS messages of the Unified Firewall for the SIEM system:

2.1) After activating SIEM support the Unified Firewall changes to the state Nicht aktuell. Roll out the configuration to the Unified Firewall, so that the IDPS alerts are provided.

As of december 2024 only IDPS alerts are provided. Support for additional logs will be added in future LMC and LCOS FX versions.

2.2) Connect to the Unified Firewall via the WEBconfig tunnel in the LMC and check in the menu Monitoring & Statistics → Settings, if the additional column LMC was rolled out and if the option is activate for IDPS Alert.



3) Generate a SIEM API Secret in the LMC:

3.1) In the LMC go to the menu Project services → External services → SIEM and click on Create Secret Key.

3.2) Copy the Secret Key and save it in a secure location. Enter the Secret Key in your SIEM system afterwards.



4) Example commands in the SIEM API:

You can find the SIEM API documentation under the following link:

https://cloud.lancom.de/cloud-service-siem/api-docs/


In order to be able to use the SIEM API, you need the UUID of your LMC project as well as the API Secret Key (see step 3).

When you are logged in to your LMC project, you can find the UUID in the adress bar of the browser after project/.


DeviceLogs:

With the endpoint DeviceLogs you can read out the device logs for the specified account.

The command must be entered in the following format:
curl --request GET \
  --url https://cloud.lancom.de/cloud-service-siem/accounts/<UUID of your LMC project>/logs \
  --header 'Authorization: LMC-API-KEY <API Secret Key from step 3>' \


Example query (without valid account data or Secret Key):
curl --request GET \
  --url https://cloud.lancom.de/cloud-service-siem/accounts/ea96d5d0-01f6-498a-b9ec-629be24eae9e/logs \
  --header 'Authorization: LMC-API-KEY eyJraWQiOiIxIiwidHlwIjoiTE1DLUFQSS1LRVkiLCJhbGciOiJIUzI1NiJ9.3zezFHKzCYJlCgh-3V1KN0yEe8lTUQEE75DXc-Vv2Dc._93wf35NVk8Q6yt7omWzyohTgW58424tQzRFIPgr111' \
Successful result message:
{
  "startOffset": 10,
  "endOffset": 109,
  "nextOffset": 110,
  "count": 100,
  "deviceLogs": [
    {
      "deviceId": "ea96d5d0-01f6-498a-b9ec-629be24eae9e",
      "accountId": "ea96d5d0-01f6-498a-b9ec-629be24eae9e",
      "siteId": "ea96d5d0-01f6-498a-b9ec-629be24eae9e",
      "messageId": "8bb136e3-0c4e-459e-8cd7-85b8209e2e3b",
      "createdAt": "2022-12-21T13:17:40.78731Z",
      "receivedAt": "2022-12-21T13:17:40.78731Z",
      "rawMessage": "IDPS: Malicious message detected [Classification: ] [Severity: 3] [Signature Id: 5000000] [Action: allowed] [Source: 10.10.10.20:0] [Destination: 8.8.76.5:0]",
      "severity": "3",
      "additionalProperties": {
        "category": "IDPS",
        "idps_event_type": "alert",
        "signature": "5000000",
        "idps_category": "",
        "source_ip": "10.10.10.20",
        "source_port": "0",
        "destination_ip": "8.8.76.5",
        "destination_port": "0",
        "action": "allowed"
      }
    }
  ],
  "_links": {
    "self": "https://cloud.lancom.de/cloud-service-siem/accounts/ea96d5d0-01f6-498a-b9ec-629be24eae9e/logs?offset=1&limit=100",
    "next": "https://cloud.lancom.de/cloud-service-siem/accounts/ea96d5d0-01f6-498a-b9ec-629be24eae9e/logs?offset=101&limit=100"
  }
}


Offsets:

With the endpoint Offsets you can read out the number of the first logfile and the next unread logfile as well as offset limit for the specified account.

The command must be entered in the following format:
curl --request GET \
--url https://cloud.lancom.de/cloud-service-siem/accounts/<UUID of your LMC project>/offsets \
--header 'Authorization: LMC-API-KEY <API Secret Key from step 3>' \


Example query (without valid account data or Secret Key):
curl --request GET \
--url https://cloud.lancom.de/cloud-service-siem/accounts/30995a43-3705-439a-9c2c-da1331bb5106/offsets \
--header 'Authorization: LMC-API-KEY eyJraWQiOiIxIiwidHlwIjoiTE1DLUFQSS1LRVkiLCJhbGciOiJIUzI1NiJ9.3zezFHKzCYJlCgh-3V1KN0yEe8lTUQEE75DXc-Vv2Dc._93wf35NVk8Q6yt7omWzyohTgW58424tQzRFIP11111' \
Successful result message:
{
  "startMinOffset": 0,
  "nextUnreadOffset": 99,
  "endMaxOffset": 100
}


Weitere Artikel zu diesem Thema:

 

All LANCOM products and software versions are subject to LANCOM Software Lifecycle Management.
You can find information on our website at https://www.lancom-systems.com/products/firmware/software-lifecycle-management

© 2025 LANCOM Systems GmbH