Configuring Server and Workload Protection logs

To forward endpoint, server, and workload protection events (such as Anti-Malware, Web Reputation, Integrity Monitoring, and Application Control), complete the following steps.

Procedure

  1. Log in to Trend Micro Vision One console.
  2. Access the Endpoint Security tab.
  3. Go to Policies > Common Objects > Other > Syslog Configurations.
  4. Click New, and then select New Configuration.
  5. On the General tab, configure the following fields:
    Field Description
    Name A unique name that identifies the configuration.
    Description Optional description of the configuration.
    Log Source Identifier Optional identifier to use instead of the Server and Workload Protection hostname.
    Server Name Hostname or IP address of the receiving Syslog or SIEM server.
    Server Port Listening port number on the SIEM or Syslog server. For UDP, the IANA standard port number is 514 and for TLS, it is usually port 6514.
    Transport Specified whether the transport protocol is secure (TLS) or not (UDP).
    Note: TLS requires that you set Agents should forward logs through the Workload Security Manager (indirectly).
    Event Format Specifies whether the log message format is LEEF, CEF, or basic Syslog.
    Notes:
    • LEEF requires forwarding through the Workload Security Manager.
    • The basic Syslog format is not supported by the Anti-Malware, Web Reputation, Integrity Monitoring, and Application Control modules.
    Include time zone in events Specifies whether to add the full date (including year and time zone) to the event.
    Note: Full dates require forwarding through the Workload Security Manager.
    Facility Type of process that events are associated with. Syslog servers might prioritize or filter based on a log message's facility field.
    Agents should forward logs Specifies whether to send events directly to the Syslog server or through the Workload Security Manager (indirectly).
    Note: Logs forwarded through Server and Workload Protection exclude Firewall and Intrusion Prevention packet data.
  6. If the Syslog or SIEM server requires TLS clients to complete client authentication on the Credentials tab.
  7. Click Apply.
  8. If you selected the TLS transport mechanism, verify that both Server and Workload Protection and the Syslog server can connect and trust each other's certificates.
  9. Continue by selecting which events to forward.