TrendMicro (Cloud) Event Forwarding via external Syslog Server

Inbound Firewall Rules

The TrendMicro syslog forwarder requires inbound firewall rules in your on-prem firewall. The list of TrendMicro’s source IPs to allow for this forwarder depends on the geographic location of your TrendMicro’s tenancy:

Singapore:
  13.214.15.0/27
  18.99.38.64/27
UK:
  18.169.230.160/27
  18.98.162.128/27
USA:
  3.140.136.224/27
  34.205.5.0/27
  18.97.133.160/27
  18.97.19.0/27

Configure inbound firewall rule(s) accordingly, defined as a port forward to your reverse proxy in the DMZ, using one (or more) of the IP ranges above as the source IP for the rule, and a destination port provided by SOCFortress.

Since the DMZ will then forward this flow to the internal network, define an additional rule in your firewall allowing this flow from the reverse proxy (DMZ) to your Graylog Server, as instructed by the SOCFortress team.

Define a Syslog configuration

NOTE: In our integration, we won’t use TLS mutual authentication. Please skip step 4 below

Syslog configurations define the destination and settings that can be used when forwarding system or security events.

If you configured SIEM or Syslog settings before January 26th, 2017, they have been converted to Syslog configurations. Identical configurations were merged.

1. Go to Policies > Common Objects > Other > Syslog Configurations.
2. Click New > New Configuration.

3. On the General tab, configure the following:

   • Name: Unique name that identifies the configuration.
   • Description: Optional description of the configuration.

   • Log Source Identifier: Optional identifier to use instead of Deep Security Manager's hostname.

     If Deep Security Manager is multi-node, each server node has a different hostname. Log source IDs can therefore be different. If you need the IDs to be the same regardless of hostname (for example, for filtering purposes), you can configure their shared log source ID here.

     This setting does not apply to events sent directly by Deep Security Agent, which always uses its hostname as the log source ID.

   • Server Name: Hostname or IP address of the receiving Syslog or SIEM server.

   • Server Port: Listening port number on the SIEM or Syslog server. For UDP, the IANA standard port number is 514. For TLS, it is usually port 6514. See also Port numbers, URLs, and IP addresses.

   • Transport: Whether the transport protocol is secure (TLS) or not (UDP).

     With UDP, Syslog messages are limited to 64 KB. If the message is longer, data may be truncated.

     With TLS, the manager and Syslog server must trust each other's certificates. The connection from the manager to the Syslog server is encrypted with TLS 1.2, 1.1, or 1.0.

     TLS requires that you set Agents should forward logs to Via the Deep Security Manager (indirectly). Agents do not support forwarding with TLS.

   • Event Format: Whether the log message's format is LEEF, CEF, or basic Syslog. See Syslog message formats

     LEEF format requires that you set Agents should forward logs to Via the Deep Security Manager (indirectly).

     Basic Syslog format is not supported by Deep Security Anti-Malware, Web Reputation, Integrity Monitoring, and Application Control.

   • Include time zone in events: Whether to add the full date (including year and time zone) to the event.

     Example (selected): 2018-09-14T01:02:17.123+04:00.

     Example (deselected): Sep 14 01:02:17.

     Full dates require that you set Agents should forward logs to Via the Deep Security Manager (indirectly).

   • Facility: Type of process with which the events will be associated. Syslog servers may prioritize or filter based on a log message's facility field. See also What are Syslog Facilities and Levels?

   • Agents should forward logs: Whether to send events Directly to the Syslog server or Via the Deep Security Manager (indirectly).

     When forwarding logs directly to the Syslog server, agents use clear text UDP. Logs contain sensitive information about your security system. If logs will travel over an untrusted network such as the Internet, consider adding a VPN tunnel or similar to prevent reconnaissance and tampering.

     If you forward logs via the manager, they do not include Firewall and Intrusion Prevention packet data unless you configure Deep Security Manager to include it. For instructions, see Sending packet data to syslog via Deep Security Manager (DSM).

4. If the Syslog or SIEM server requires TLS clients to do client authentication (also called bilateral or mutual authentication; see Request a client certificate), then on the Credentials tab, configure the following:

   • Private Key: Paste the private key of Deep Security Manager's client certificate.
   • Certificate: Paste the client certificate that Deep Security Manager will use to identify itself in TLS connections to the Syslog server. Use PEM, also known as Base64-encoded format.
   • Certificate Chain: If an intermediate CA signed the client certificate, but the Syslog server doesn't know and trust that CA, then paste CA certificates which prove a relationship to a trusted root CA. Press Enter between each CA certificate.
5. Click Apply.

6. If you selected the TLS transport mechanism, verify that both Deep Security Manager and the Syslog server can connect and trust each other's certificates.

   1. Click Test Connection. (NOTE: Before testing the connection, ensure that inbound firewall rules have been defined in your on-prem firewall. See details above)

      Deep Security Manager tries to resolve the hostname and connect. If that fails, an error message appears.

      If the Syslog or SIEM server certificate is not yet trusted by Deep Security Manager, the connection fails and an Accept Server Certificate? message should appear. The message shows the contents of the Syslog server's certificate.

   2. Verify that the Syslog server's certificate is correct, and then and click OK to accept it.

      The certificate is added to the manager's list of trusted certificates on Administration > System Settings > Security. Deep Security Manager can accept self-signed certificates.

   3. Click Test Connection again.

      Now the TLS connection should succeed.

7. Continue by selecting the events to forward. See Forward system events and/or Forward security events.

Forward system events

Deep Security Manager generates system events, such as administrator logins or upgrading agent software.

1. Go to Administration > System Settings > Event Forwarding.
2. From Forward System Events to a remote computer (via Syslog) using configuration, either select an existing configuration or click New. For details, see Define a Syslog configuration.
3. Click Save.

If Deep Security Manager is multi-node, system events are only sent from one node to avoid duplicates.

Forward security events

Deep Security Agent protection features generate security events (such as detecting malware or triggering an IPS rule). You can forward events either:

• Directly
• Indirectly, via Deep Security Manager

Some event forwarding options require forwarding agent events indirectly, via Deep Security Manager.

Similarly to other policy settings, you can override event forwarding settings for specific policies or computers. See Policies, inheritance, and overrides.

1. Go to Policies.
2. Double-click the policy used by the computers.
3. Select Settings.
4. Select the Event Forwarding tab.
5. From Period between sending of events, select the frequency of the event forwarding.
6. From Anti-Malware Syslog Configuration and other protection modules' context menus, either select which Syslog configuration to use, click Edit to change it, select None to disable it, or click New. For details, see Define a Syslog configuration.
7. Click Save.

Troubleshoot event forwarding

Failed to Send Syslog Message alert

If there is a problem with your Syslog configuration, you might see this alert:

Failed to Send Syslog Message
The Deep Security Manager was unable to forward messages to a Syslog Server.
Unable to forward messages to a Syslog Server

The alert also contains a link to the affected Syslog configuration. Click the link to open the configuration and then click Test Connection to get more diagnostic information. It will either indicate that the connection was successful or display an error message with more details about the cause.

Can't edit Syslog configurations

If you can see the Syslog configurations but can't edit them, the role associated with your account might not have the appropriate rights. An administrator who is able to configure roles can check your permissions by going to Administration > User Management. Then select your name and click Properties. On the Other Rights tab, the Syslog Configurations setting controls your ability to edit Syslog configurations. For more information on users and roles, see Add and manage users.

Can't see the Syslog configuration sections of Deep Security Manager

If you cannot see the Syslog configurations UI in Deep Security Manager, you may be a tenant in a multi-tenant environment where the primary tenant has disabled this feature or configured it for you.

Syslog not transferred due to an expired certificate

Valid certificates are required to connect securely via TLS. If you set up TLS client authentication and the certificate expires, messages are not sent to the Syslog server. To fix this problem, get a new certificate, update the Syslog configuration with the new certificate values, test the connection, and then save the configuration.

Syslog not delivered due to an expired or changed server certificate

Valid certificates are required to connect securely via TLS. If the Syslog server's certificate has expired or changed, open the Syslog configuration and click Test Connection. You are prompted to accept the new certificate.