Skip to main content
Sumo Logic

Collect on-premises logs for the Trend Micro Deep Security App

On-premises — This page provides instructions for configuring log collection for the Trend Micro Deep Security App, as well as examples of relevant log and query samples.

This page provides instructions for configuring on-prem log collection for the Trend Micro Deep Security App, as well as examples of relevant log and query samples.

Configure Collector and Sources

To collect logs for Deep Security, do the following:

  1. Configure a Installed Collector.
  2. Configure a Syslog Source.

Configure Deep Security System Event Log Forwarding

To forward Deep Security system events to Sumo Logic, do the following:
  1. In Deep Security, go to Administration > System Settings > SIEM.
  2. Configure SIEM:

    1. Forward System Events to a remote computer (via Syslog). Activate this check box.

    2. Hostname or IP address to which events should be sent. This is the hostname or IP address of the Sumo Logic Installed Collector.

    3. UDP port to which events should be sent.  Enter 514.

    4. Syslog Facility. Select Local 0.

    5. Syslog Format. Select Common Event Format.

  3. Save your changes.

Configure the Policy

Now you must add the Syslog Source to your Policy configuration. Set the integration details at the Top (root/base) policy as follows:

  1. Go to Settings > SIEM.
  2. For Anti-Malware Event Forwarding, select Forward Events To: and Relay via the Manager.

    1. Hostname or IP address to which events should be sent. This is the hostname or IP address of the Sumo Logic Installed Collector.

    2. UPD port to which events should be sent.  Enter 514.

    3. Syslog Facility. Select Local 1.

    4. Syslog Format. Select Common Event Format.

  3. For Web Reputation Event Forwarding, select Forward Events To: and Relay via the Manager.

    1. Hostname or IP address to which events should be sent. This is the hostname or IP address of the Sumo Logic Installed Collector.

    2. UPD port to which events should be sent.  Enter 514.

    3. Syslog Facility. Select Local 1.

    4. Syslog Format. Select Common Event Format.

  4. Click Save.

Sample Log Message

<142>Oct  2 16:41:16 CEF:0|Trend Micro|Deep Security Agent|9.6.3177|21|Unsolicited UDP|5|cn1=34 cn1Label=Host ID dvchost=workstation_tsiley TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 act=Deny dmac=B0:B9:B9:F8:E7:8F smac=39:D2:AE:D6:1F:05 TrendMicroDsFrameType=IP src=130.202.140.130 dst=10.0.102.94 in=291 cs3= cs3Label=Fragmentation Bits proto=UDP spt=445 dpt=42 cnt=1

Query Sample

Top 5 Reasons For Prevented Packets

_sourceCategory=Trendmicro dst
| parse "CEF:0|*|*|*|*|*|*|*" as Device_Vendor,Device_Product,Device_Version,Signature_ID, Name, Severity, Extension
| where (signature_id >= 100 AND signature_id <= 199) OR signature_id = 20 OR signature_id = 21
| count Name
| top 5 Name by _count