Trend Micro Cloud One - Workload Security (formerly Deep Security Software) is a hybrid cloud runtime security solution.
Before you begin, you’ll need:
Install the Trend Micro certificate on your Filebeat server
Trend Micro sends encrypted data, so you’ll need to install the Trend Micro certificate on your Filebeat server.
sudo mkdir /etc/filebeat/certificates sudo openssl req -newkey rsa:2048 -nodes \ -keyout /etc/filebeat/certificates/Trendmicro.key -x509 \ -days 365 \ -out /etc/filebeat/certificates/Trendmicro.crt
Download the Logz.io public certificate to your credentials server
For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.
sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor.
Filebeat requires a file extension specified for the log input.
Copy and paste the code block below, overwriting the previous contents, to replace the general configuration with the following settings:
# ... filebeat.inputs: - type: tcp max_message_size: 10MiB host: "0.0.0.0:6514" ssl.enabled: true ssl.certificate: "/etc/filebeat/certificates/Trendmicro.crt" ssl.key: "/etc/filebeat/certificates/Trendmicro.key" ssl.verification_mode: none fields: logzio_codec: json token: <<LOG-SHIPPING-TOKEN>> type: trendmicro_deep fields_under_root: true filebeat.registry.path: /var/lib/filebeat #The following processors are to ensure compatibility with version 7 processors: - rename: fields: - from: "agent" to: "beat_agent" ignore_missing: true - rename: fields: - from: "log.file.path" to: "source" ignore_missing: true
<<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.
Set Logz.io as the output
Still in the same configuration file, check if Logz.io is already an output. If not, add it now.
# ... output.logstash: hosts: ["<<LISTENER-HOST>>:5015"] ssl: certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']
<<LISTENER-HOST>> with the host for your region. For example,
listener.logz.io if your account is hosted on AWS US East, or
listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.
One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.
Start or restart Filebeat for the changes to take effect.
Configure Trend Micro agents to forward logs to Filebeat
The process for configuring Trend Micro to send logs to your Syslog server involves several steps. All of them are performed in the Trend Micro Cloud One console. You can also reference the official documentation published by Trend Micro.
First, log into your Trend Micro Cloud One console.
- Select Policies from the top menu.
- Select Other > Syslog Configurations in the left menu.
- Select New → New Configuration.
- Fill in the new configuration form:
- Name - Provide a name for the new Syslog configuration. For example: Logz.io.
- Server Name and Server Port - Provide the IP address and port 6514.
- Event Format - Select Log Event Extended Format 2.0.
- Check the box to Include time zone in events.
- Transport - Select TLS.
- Save your changes.
Open the Credentials tab, and fill in the details:
Private key - Provide the Trendmicro.key you created in step 1. You can run the following command to look up the key:
sudo nano /etc/filebeat/certificates/Trendmicro.key
Certificate - Provide the Trendmicro.crt you created in step 1. You can run the following command to look up the key:
sudo nano /etc/filebeat/certificates/Trendmicro.crt
- Click Test connection to test your settings.
- Save your changes.
Activate syslog forwarding
Configure Trend Micro agents to forward event logs to Logz.io.
- Open the Policies tab, and select the relevant policy.
- In the policy form, select Setting in the left menu.
- Select the tab Event forwarding in the top menu.
- Select the relevant syslog policies you created in the previous steps.
You can reference the sample configuration used by the Logz.io Security Team in development of this integration. Exported configuration in XML format.
The configuration file includes settings for the following services:
- Integrity monitoring
- Log inspection
- Intrusion prevention
Check Logz.io for your logs
Give your logs some time to get from your system to ours, and then open Kibana.
If you still don’t see your logs, see Filebeat troubleshooting.