Trend Micro

Trend Micro Cloud One - Workload Security (formerly Deep Security Software) is a hybrid cloud runtime security solution.

You can review the Trend Micro resources in your security account, including preconfigured security rules and dashboards to get you started.

Before you begin, you'll need:

Credentials for Trend Micro Cloud One
Filebeat
Root access

Install the Trend Micro certificate on your Filebeat server

Trend Micro sends encrypted data, so you'll need to install the Trend Micro certificate on your Filebeat server.

sudo mkdir /etc/filebeat/certificates
sudo openssl req -newkey rsa:2048 -nodes \
-keyout /etc/filebeat/certificates/Trendmicro.key -x509 \
-days 365 \
-out /etc/filebeat/certificates/Trendmicro.crt

Download the Logz.io public certificate

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt

Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor.

note

Filebeat requires a file extension specified for the log input.

Copy and paste the code block below, overwriting the previous , to replace the general configuration with the following settings:

# ...
filebeat.inputs:
- type: tcp
  max_message_size: 10MiB
  host: "0.0.0.0:6514"
  ssl.enabled: true
  ssl.certificate: "/etc/filebeat/certificates/Trendmicro.crt"
  ssl.key: "/etc/filebeat/certificates/Trendmicro.key"
  ssl.verification_mode: none
  fields:
    logzio_codec: json
    token: <<LOG-SHIPPING-TOKEN>>
    type: trendmicro_deep
  fields_under_root: true
filebeat.registry.path: /var/lib/filebeat
#The following processors are to ensure compatibility with version 7
processors:
- rename:
    fields:
     - from: "agent"
       to: "beat_agent"
    ignore_missing: true
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Set Logz.io as the output

Still in the same configuration file, check if Logz.io is already an output. If not, add it now.

# ...
output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"] 
  ssl:
    certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace <<LISTENER-HOST>> with the host for your region.

One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Configure Trend Micro agents to forward logs to Filebeat

The process for configuring Trend Micro to send logs to your Syslog server involves several steps. All of them are performed in the Trend Micro Cloud One console. You can also reference the official documentation published by Trend Micro.

First, log into your Trend Micro Cloud One console.

Select Policies from the top menu.
Select Other > Syslog Configurations in the left menu.
Select New → New Configuration.
Fill in the new configuration form:
1. Name - Provide a name for the new Syslog configuration. For example: Logz.io.
2. Server Name and Server Port - Provide the IP address and port 6514.
3. Event Format - Select Log Event Extended Format 2.0.
4. Check the box to Include time zone in events.
5. Transport - Select TLS.
6. Save your changes.

Open the Credentials tab, and fill in the details:
1. Private key - Provide the Trendmicro.key you created in step 1. You can run the following command to look up the key:
```
sudo nano /etc/filebeat/certificates/Trendmicro.key
```
2. Certificate - Provide the Trendmicro.crt you created in step 1. You can run the following command to look up the key:
```
sudo nano /etc/filebeat/certificates/Trendmicro.crt
```
3. Click Test connection to test your settings.
4. Save your changes.

Activate syslog forwarding

Configure Trend Micro agents to forward event logs to Logz.io.

Open the Policies tab, and select the relevant policy.
In the policy form, select Setting in the left menu.
Select the tab Event forwarding in the top menu.
Select the relevant syslog policies you created in the previous steps.

Sample configuration

You can reference the sample configuration used by the Logz.io Security Team in development of this integration. Exported configuration in XML format.

The configuration file includes settings for the following services:

Anti-malware
Integrity monitoring
Log inspection
Firewall
Intrusion prevention

Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don't see your logs, see Filebeat troubleshooting.

Install the Trend Micro certificate on your Filebeat server​

Download the Logz.io public certificate​

Configure Filebeat​

Set Logz.io as the output​

Start Filebeat​

Configure Trend Micro agents to forward logs to Filebeat​

Activate syslog forwarding​

Sample configuration​

Check Logz.io for your logs​