Version:

Configuring Trend Micro

Log sources for Trend Micro can be configured using Log Source Template or Devices. Log Source Template is recommended to minimize setup requirements and eliminate normalization issues.

Using Log Source Template

You must create a log source using the log source template to receive the normalized Trend Micro logs. Go to Creating Log Source via a Template to learn more.

_images/TrendMicroLST.png

Selecting Trend Micro Log Source Template

Using Devices

Configuring a Repo for Trend Micro

  1. Go to Settings >> Configuration from the navigation bar and click Repos.

  2. Click Add.

  3. Enter a Repo Name. It must not contain spaces or special characters.

  4. Select a Repo Path and set a Retention Day. You can add or remove multiple Repo Path and Retention Day.

  5. Select a Remote LogPoint

  6. Set a Available for (day). To reset, click Remove.

  7. Click Submit.

_images/addrepo.png

Adding a Repo

Adding a Normalization Policy for Trend Micro

  1. Go to Settings >> Configuration from the navigation bar and click Normalization Policies.

  2. Click Add .

  3. Enter a Policy Name.

  4. Select the Compiled Normalizer and Normalization Packages for Trend Micro.

  5. Click Submit.

_images/normtrend1.png

Adding a Normalization Policy

Configuring a Processing Policy for Trend Micro

  1. Go to Settings >> Configuration from the navigation bar and click Processing Policies.

  2. Click Add .

  3. Enter a Policy Name.

  4. Select the previously created Normalization Policy.

  5. Select the Enrichment Policy and Routing Policy.

  6. Click Submit.

_images/pp.png

Adding a Processing Policy

Adding Trend Micro as a device in Logpoint

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click Add.

  3. Enter a device Name.

  4. Enter the Trend Micro server IP address(es).

  5. Select the Device Groups.

  6. Select an appropriate Log Collection Policy for the logs.

  7. Select a collector or a forwarder from the Distributed Collector drop-down.

Note

It is optional to select the Device Groups, the Log Collection Policy and the Distributed Collector.

  1. Select a Time Zone. The timezone of the device must be same as its log source.

  2. Configure the Risk Values for Confidentiality, Integrity and Availability used to calculate the risk levels of the alerts generated from the device.

  3. Click Submit.

_images/normtrend2.png

Create Device Panel

Configuring the Syslog Collector for Trend Micro

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click the Add icon from Actions of the previously added device.

  3. Click Syslog Collector.

Note

You can select a different collector depending on your requirements and added device. To learn more about available collectors go to collectors. If you require assistance, contact our support team.

  1. Select Syslog Parser as Parser.

  2. Select the previously created Processing Policy.

  3. Select the Charset. The default value is utf_8.

  4. In Proxy Server, select None

  5. Click Submit.

Syslog Collector Panel

Configuring the Syslog Collector

Configuring the ODBC Fetcher for Trend Micro

  1. Go to Settings >> Configuration from the navigation bar and click Devices.

  2. Click the Add Collectors/Fetchers icon from Actions of the previously added device.

  3. Click ODBC Fetcher.

_images/normtrend6.png

AVAILABLE COLLECTORS FETCHERS Panel

  1. Click ADD.

_images/normtrend3.png

ODBC Fetcher Panel

  1. Select a Mode. The ODBC Fetcher has General and Advanced modes of configuration. The Advanced mode allows you to define the incremental key value. But, in the General mode, the incremental key value is 0.

In General mode, you can select the Trend Micro Office Scan v11.0 or None template. The Trend Micro Office Scan v11.0 template has predefined configurations. But you must perform some configurations manually.

For General mode with None template

  1. In Driver, enter MSSQL.

  2. Select the Port option and enter 1433.

  3. In Database, enter db_ControlManager.

  4. Enter the Username and Password.

  5. Enter the Fetch Interval.

  6. Enter the following Query to retrieve the logs:

    For  TrendMicro DB v11:
SELECT * FROM v_Virus_HostDetail

    For  TrendMicro DB v12:
SELECT * FROM tb_AVVirusLog

  7. In Incremental Key, enter the following:

Note

  • If you are using the Advanced mode, provide the initial Incremental Key Value. The default value is 0.

  • If you are using the General mode, you cannot set the value of the Incremental Key Value. The application sets the value to 0 automatically.

  1. In Incremental Key Table, enter the given key table:

    For  TrendMicro DB v11:
v_Virus_HostDetail

    For  TrendMicro DB v12:
tb_AVVirusLog

    Note

    If you are using the Advanced Mode, you do not have to provide the Incremental Key Table.

  2. Enter a New Line Separator to replace the newline characters in the ODBC data. For example, if you provide the New Line Separator as “_”, the application displays the ODBC data as “data1_data2_data3”.

  3. Select the previously created Processing Policy.

  4. Enter the Charset. The default value is utf_8.

  5. Click Test to validate the configuration.

  6. Click Submit.

_images/odbc12.png

Configuring in General Mode with None Template

For General mode with a template

The template has predefined values for Driver, Database, Query, Incremental Key, Incremental Key Table and New Line Separator.

  1. Select the Port option and enter 1433.

  2. Enter the Username and Password.

  3. Enter the Fetch Interval.

  4. Select the previously created Processing Policy.

  5. Click Test to validate the configuration.

  6. Click Submit.

_images/odbc11.png

Configuring in General Mode with a Template

Note

The configuration for Advanced mode is similar to above.

_images/advanced.png

Configuring in Advanced Mode

Helpful?

We are glad this guide helped.


Please don't include any personal information in your comment

Contact Support