Skip to main content
Sumo Logic

Collect cloud-based logs for the Trend Micro Deep Security App

Cloud-based — This page has instructions for collecting logs for the Trend Micro Deep Security using a Sumo Cloud Syslog source on a hosted collector.

This page has instructions for collecting logs for the Trend Micro Deep Security using a Sumo Cloud Syslog source on a hosted collector.

Step 1:  Create a Cloud Syslog source on a hosted collector

  1. Select an existing hosted collector, or create a new one.
  2. Add a Cloud Syslog source to the hosted collector.
    cloud-syslog-source.png
    1. Give the source a name
    2. Enter a Source Category.
    3. Deselect the Enable Timestamp Parsing.
    4. Click Save.
  3. The Cloud Syslog Source Token will be generated. You'll supply this information as input to the Log Source Identifier, Server Name, and Server Port within Deep Security.


cloud-syslog-source-token.png

Step 2: Configure Sumo as a syslog server in Trend Micro Deep Security.

  1. In the Deep Security Manager console, select Policies > Common Objects.
  2. Expand the Other node in the left pane.
  3. Select Syslog Configurations.
  4. Select the New button to create a new configuration.
    trend-micro-syslog-config.png
    1. Log Source Identifier. Enter a three word label, for example “Deep Security Manager” or “My Log Source”, followed by value that was shown in the  Token field on the Cloud Syslog Source Token page (when you configured the Cloud Syslog Source above), surrounded by square brackets like this:
      Deep Security Manager [token from Cloud Syslog source]
  1. Server Name. Enter the value that was shown in the Host field on the Cloud Syslog Source Token page when you configured the Cloud Syslog Source above. 
  2. Server Port.  Enter the value that was shown in the Port field on the Cloud Syslog Source Token page when you configured the Cloud Syslog Source above. 
  3. Transport. Leave "TLS" selected.
  4. Click OK.

Step 3: Forward system and security events to Sumo Logic

  1. In the Deep Security Manager console, select Policies.
  2. Double-click the policy you want to use for forwarding events.
  3. Go to Settings > Event Forwarding.
  4. Under Event Forwarding Frequency (from the Agent/Appliance), specify how often events are to be sent to Sumo Logic.
  5. Under Event Forwarding Configuration (from the Agent/Appliance), specify the syslog configuration to use for each protection module, choosing from the following options: 
  • Inherited (configuration name): The behavior is inherited from a parent policy or computer.

  • None: Events are not forwarded.

  • Syslog (configuration name): Events are forwarded to the specified syslog configuration. To see details about the configuration or edit it, click Edit. The configuration must have Agents should forward logs set to "Via the Deep Security Manager".

  • New: Enables you to define a new configuration (for details, see Define a syslog configuration.) The configuration must have Agents should forward logs set to "Via the Deep Security Manager".

  1. Click Save.

Verify configuration

Send System Events to confirm communication with Sumo Logic. There may be a 5-10 minute delay.