Ingest logs from Trend Micro

Prerequisites

• Logpoint version: v7.4.0 or later

• Log source templates: Logpoint v7.4.0 or later

• Universal REST API Fetcher: v2.1.0 (for TrendVisionOne)

• Access requirements (Trend Vision One):

  • Access to the Trend Vision One console to create an API key

Install the integration

1. Download the .pak file from the ServiceDesk.

2. Go to Settings >> System Settings.

3. Select Applications.

4. Click Import.

5. Browse and upload the .pak file.

6. Verify the integration appears under Settings >> System Settings >> Plugins.

Configure log ingestion

You can configure this integration using one of the following methods:

1. Log source template (recommended)

2. Devices

Important The TrendMicro compiled normalizer supports CompiledNormalizer Date Preference (CNDP). Configure CNDP before ingestion if you use compiled normalizers.

Method 1: Configure using a log source template

Use log source templates to minimize setup requirements and reduce normalization issues.

Create a log source

1. Go to Settings >> Log Sources.

2. Click Browse Log Source Templates.

3. Select one of the following templates:

   • Trend Micro (syslog collector–based)

   • TrendVisionOne (Universal REST API Fetcher–based)

Integration-specific configuration

Option A: Syslog collector–based template (Trend Micro)

Use the Syslog Collector-based Trend Micro log source template if your Trend Micro environment sends syslog over port UDP 514 or TCP.

Option B: Universal REST API Fetcher–based template (TrendVisionOne)

Before you configure the template, create an API key in Trend Vision One:

1. Log in to the Trend Vision One console.

2. Go to Administration >> API Keys.

3. Click Add API Key.

4. Enter a Name.

5. Select a Role.

6. Select an Expiration Time.

7. Click Add and copy the generated API key value.

Configure the TrendVisionOne template in Logpoint:

1. Go to Settings >> Log Sources.

2. Click Browse Log Source Templates.

3. Search for and select TrendVisionOne.

Source

• In Base URL, enter the Trend Vision One endpoint URL and port number in the format https://<your server>:<port>. For example, http://1.1.1.1:50

Connector

• In Custom headers, update the authorization header:

  • Replace {{token}} in Authorization Value with your generated API key.

• Do not select a product, and ensure Authorization Type is set to No Auth.

Routing

1. Go to Routing and click + Create Repo.

2. Enter a Repo name, Path, and Retention (Days).

3. In Availability, select the remote Logpoint and retention period, then click Create Repo.

4. In Repo, select the newly created repository for Trend Micro logs.

5. Click + Add row to define routing criteria.

6. Enter a Key and Value; the rule applies only to logs matching this pair.

7. Select an Operation:

   • Store raw message – store both raw and normalized logs

   • Discard raw message – store only normalized logs

   • Discard entire event – discard both raw and normalized logs

8. Select the Repository where the logs should be stored.

Normalization

1. Click Normalization.

2. You can either select a previously created normalization policy from the Select Normalization Policy drop-down or select a Normalizer from the list and click the swap() icon

Enrichment

1. Click Enrichment.

2. Select an enrichment policy for the incoming logs.

Click Save Configuration to save all the above configurations.

Method 2: Configure using devices

Use this method if you require advanced control over repositories, routing, or processing policies.

Configure the repository (repo)

1. Go to Settings >> Configuration >> Repos.

2. Click Add.

3. Enter a repo name and repo path.

4. Set Retention Day.

5. (Optional) Select a Remote Logpoint and set Available for (day).

6. Click Submit.

Configure normalization and processing

Create a normalization policy

1. Go to Settings >> Configuration >> Normalization Policies.

2. Click Add.

3. Enter a policy name.

4. Select the compiled normalizer and normalization packages for Trend Micro.

5. Click Submit.

Create a processing policy

1. Go to Settings >> Configuration >> Processing Policies.

2. Click Add.

3. Enter a policy name.

4. Select the normalization policy you created.

5. Select enrichment policy and routing policy.

6. Click Submit.

Add Trend Micro as a device

1. Go to Settings >> Configuration >> Devices.

2. Click Add.

3. Enter a device name.

4. Enter the Trend Micro server IP address(es).

5. (Optional) Select Device Groups, Log Collection Policy, and Distributed Collector.

6. Select a Time Zone that matches the log source time zone.

7. Set Risk Values (Confidentiality, Integrity, Availability).

8. Click Submit.

Configure a collector or fetcher

Syslog collector

1. Go to Settings >> Configuration >> Devices.

2. Locate the Trend Micro device.

3. Add a collector and select Syslog Collector.

4. Select Syslog Parser as Parser.

5. Select the processing policy you created.

6. Set Charset (default is utf_8).

7. Set Proxy Server to None.

8. Click Submit.

ODBC fetcher (Trend Micro DB via MSSQL)

1. Go to Settings >> Configuration >> Devices.

2. From the Actions menu of an existing device, add a collector/fetcher and select ODBC Fetcher.

Configure mode

• General mode: Incremental key value is automatically set to 0.

• Advanced mode: You define the initial incremental key value.

General mode configuration

You can select either the Trend Micro Office Scan v11.0 template (predefined values) or None.

General mode with None template

1. In Driver, enter MSSQL.

2. Select the Port option and enter 1433.

3. In Database, enter db_ControlManager.

4. Enter the Username and Password.

5. Enter the Fetch Interval.

6. Enter the following Query to retrieve the logs:

• TrendMicro DB v11: SELECT * FROM v_Virus_HostDetail

• TrendMicro DB v12: SELECT * FROM tb_AVVirusLog

1. In Incremental Key, enter the following:

   1. If you are using the Advanced mode, provide the initial Incremental Key Value. The default value is 0.

   2. If you are using the General mode, you cannot set the value of the Incremental Key Value. The application sets the value to 0 automatically.

2. In Incremental Key Table, enter the given key table:

• v11: v_Virus_HostDetail

• v12: tb_AVVirusLog

1. Enter a New Line Separator to replace the newline characters in the ODBC data. For example, if you provide the New Line Separator as “_”, the application displays the ODBC data as “data1_data2_data3”.

2. Select the previously created Processing Policy.

3. Enter the Charset. The default value is utf_8.

4. Click Test to validate the configuration.

5. Click Submit.

General mode with a template

The template has predefined values for Driver, Database, Query, Incremental Key, Incremental Key Table and New Line Separator.

1. Select the Port option and enter 1433.

2. Enter the Username and Password.

3. Enter the Fetch Interval.

4. Select the previously created Processing Policy.

5. Click Test to validate the configuration.

6. Click Submit.

Advanced mode

• Configuration is similar to General mode.

• You must provide the initial Incremental Key Value.

• Incremental Key Table is not required.

Verify ingestion and normalization

Use the following query to verify Trend Micro logs are being ingested:

Confirm timestamps and key fields are parsed correctly for your chosen ingestion method (syslog/API/ODBC).