Configuring Trend Micro Deep Security to communicate with QRadar

To collect all events from Trend Micro Deep Security, you must specify IBM® QRadar® as the Syslog server and configure the Syslog format on your Trend Micro Deep Security device.

Before you begin

Ensure that Deep Security Manager is installed and configured on your Trend Micro Deep Security Device.


  1. Click Administration > System Settings > SIEM.
  2. From the System Event Notification pane in the Manager section, enable the Forward System Events to remote computer (via Syslog) option.
  3. Type the host name or the IP address of the QRadar system.
  4. Type 514 for the UDP port.
  5. Select the Syslog Facility that you want to use.
  6. Select LEEF for the Syslog Format.
    Note: Trend Micro Deep Security sends events only in LEEF format from the Deep Security Manager. If you select the Direct forward option on the SIEM tab, you can't select Log Event Extended Format 2.0 for the Syslog Format.