Configuring your Trend Micro Deep Discovery Analyzer instance for communication with QRadar

To collect Trend Micro Deep Discovery Analyzer events, configure your third-party instance to enable logging.

Procedure

  1. Log in to the Deep Discovery Analyzer web console.
  2. To configure Deep Discovery Analyzer V5.0, follow these steps:
    1. Click Administration > Log Settings.
    2. Select Forward logs to a syslog server.
    3. Select LEEF as the log format.
    4. Select the protocol that you want to use to forward the events.
    5. In the Syslog server field, type the host name or IP address of your QRadar Console or Event Collector.
    6. In the Port field, type 514.
  3. To configure Deep Discovery Analyzer V5.5, follow these steps:
    1. Click Administration > Log Settings.
    2. Select Send logs to a syslog server.
    3. In the Server field, type the host name or IP address of your QRadar Console or Event Collector.
    4. In the Port field, type 514.
    5. Select the protocol that you want to use to forward the events.
    6. Select LEEF as the log format.
  4. To configure Deep Discovery Analyzer V5.8 or V6.0, follow these steps:
    1. Click Administration > Integrated Products/Services > Log Settings.
    2. Select Send logs to a syslog server.
    3. In the Server address field, type the host name or IP address of your QRadar console or Event Collector.
    4. In the Port field, type the port number.
      Note: Trend Micro suggests that you use the following default syslog ports: UDP: 514; TCP: 601; and SSL: 443.
    5. Select the protocol that you want to use to forward the events; UDP/TCP/SSL.
    6. Select LEEF as the log format.
    7. Select the Scope of logs to send to the syslog server.
    8. Optional: Select the Extensions check box if you want to exclude any logs from sending data to the syslog server.
  5. Click Save.