Skip to main content
Sumo Logic

Collect Logs for Trend Micro Deep Security

Detailed steps to collect logs for Trend Micro Deep Security.

Configure Collector and Sources

To collect logs for Deep Security, you will need:

  1. One Installed Collector.
  2. One Syslog Source.

Configure Deep Security System Event Log Forwarding

For complete details on configuring your Deep Security system for use with Sumo Logic, see the White Paper, “Deep Security Integration with Sumo Logic”.

To forward Deep Security system events to Sumo Logic:

  1. In Deep Security, go to Administration > System Settings > SIEM.
  2. Configure SIEM:

    1. Forward System Events to a remote computer (via Syslog). Activate this check box.

    2. Hostname or IP address to which events should be sent. This is the hostname or IP address of the Sumo Logic Installed Collector.

    3. UDP port to which events should be sent.  Enter 514.

    4. Syslog Facility. Select Local 0.

    5. Syslog Format. Select Common Event Format.

  3. Save your changes.

Configure the Policy

Now you must add the Syslog Source to your Policy configuration. Set the integration details at the Top (root/base) policy as follows:

  1. Go to Settings > SIEM.
  2. For Anti-Malware Event Forwarding, select Forward Events To: and Relay via the Manager.

    1. Hostname or IP address to which events should be sent. This is the hostname or IP address of the Sumo Logic Installed Collector.

    2. UPD port to which events should be sent.  Enter 514.

    3. Syslog Facility. Select Local 1.

    4. Syslog Format. Select Common Event Format.

  3. For Web Reputation Event Forwarding, select Forward Events To: and Relay via the Manager.

    1. Hostname or IP address to which events should be sent. This is the hostname or IP address of the Sumo Logic Installed Collector.

    2. UPD port to which events should be sent.  Enter 514.

    3. Syslog Facility. Select Local 1.

    4. Syslog Format. Select Common Event Format.

  4. Click Save.

Sample Log Message

<142>Oct  2 16:41:16 CEF:0|Trend Micro|Deep Security Agent|9.6.3177|21|Unsolicited UDP|5|cn1=34 cn1Label=Host ID dvchost=workstation_tsiley TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 act=Deny dmac=B0:B9:B9:F8:E7:8F smac=39:D2:AE:D6:1F:05 TrendMicroDsFrameType=IP src=130.202.140.130 dst=10.0.102.94 in=291 cs3= cs3Label=Fragmentation Bits proto=UDP spt=445 dpt=42 cnt=1

Query Sample

Top 5 Reasons For Prevented Packets

_sourceCategory=Trendmicro dst
| parse "CEF:0|*|*|*|*|*|*|*" as Device_Vendor,Device_Product,Device_Version,Signature_ID, Name, Severity, Extension
| where (signature_id >= 100 AND signature_id <= 199) OR signature_id = 20 OR signature_id = 21
| count Name
| top 5 Name by _count