Views:

In this type of syslog content mapping, provide the CEF Keys field in the format of {CEF Key 1}|{CEF Key 2}|...|{CEF Key n}, separated by a "|".

The following table outlines the syslog content mapping between predefined/custom extension CEF keys and Trend Micro Web Security log output (value).

Table 1. CEF Access Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product name

Trend Micro Web Security

Header (pver)

Appliance version

Example: 3.0.0.2042

Header (eventid)

Signature ID

Example: 100000

Header (eventName)

Description

Access Log

Header (severity)

Risk level

  • 0: act=allow/analyze

  • 1: act=monitor/warn/override

  • 2: act=block

rt

UTC timestamp

Example: Jul 05 2018 07:54:15 +0000

logType

Log type

  • 1: Successful access log

  • 5: Failed HTTPS access log

companyID

Company ID

Example: 7800fcab-7611-416c-9ab4-721b7bd6b076

adDomain

AD domain

Example: trendmicro.com.cn

userName

User name or client IP

Example: 10.204.214.188

groupName

Group name

Example: testgroup1

userDepartment

User department

Example: finance department

gatewayName

Gateway name

Example: on-premise-2051

app

Protocol used

  • 1: HTTP

  • 2: HTTPS

  • 3: HTTP/2

transportBytes

Body size of a request or response

Example: 221030

dst

Destination IP address of a request

Example: 54.231.184.240

src

Source IP address of a request

Example: 10.204.214.188

upStreamSize

Upstream payload from Trend Micro Web Security to server, unit bytes

Example: 501

downStreamSize

Downstream payload from server to Trend Micro Web Security, unit bytes

Example: 220529

domainName

URL domain

Example: clients4.google.com

scanType

Scan type

  • 0: Not match any rule

  • 1: Client certificate is required

  • 2: Untrusted server certificate

  • 10: Approved URLs/Blocked URLs

  • 13: Client not allowed

  • 14: Destination port not allowed

  • 15: Access to private address

  • 20: Web Reputation service

  • 21: URL filtering

  • 30: True file type

  • 33: MIME type

  • 34: File extension name

  • 40: Anti-malware

  • 41: Unscannable files

  • 45: Predictive machine learning

  • 50: Anti-botnet

  • 60: Application control

  • 70: Suspicious Object Analysis (Virtual Analyzer)

  • 90: Suspicious Object Filtering (Virtual Analyzer)

  • 100: Data loss prevention

  • 110: Ransomware

policyName

Policy name

Example: default

profileName

Profile name

Example: default

severity

WRS score threshold

  • 0: WRS is disabled

  • 50: WRS security level=Low

  • 65: WRS security level=Medium

  • 80: WRS security level=high

principalName

Principal name

Example: testuser@trendmicro.com.cn

cat

URL category

Example: Search Engines/Portals

appName

Application name

Example: Google

wrsScore

WRS score

Example: 81

malwareType

Malware type

  • 1: Virus

  • 2: Spyware

  • 3: Joke

  • 4: Trojan

  • 5: Test_Virus

  • 6: Packer

  • 7: Generic

  • 8: Other

  • 9: Botnet

malwareName

Malware name

Example: HEUR_OLEXP.B

fname

File name

Example: sample_nice_dda_heurb_1177077.ppt-1

filehash

SHA-1

Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504

act

Action

  • allow

  • monitor

  • block

  • warn

  • override

  • analyze

httpTrans

HTTP transaction

JSON format. Example:{"http_req":{ "method":"GET","scheme":"http","path":"index.html","host":www.sina.com.cn,"headers":{"header_1":"value_1", ...}},"http_response":{"status_code":"200","headers":{...}}}

Log output sample 1:

CEF:0|Trend Micro|Trend Micro Web Security|3.0.0.2040|100000|Access Log|0| 
wrsScore=81 companyID=7800fcab-7611-416c-9ab4-721b7bd6b076 app=2 upStreamSize=1064 
userDepartment= scanType=0 malwareType=0 
httpTrans={"http_req":{"headers":{"host":"clients4.google.com:443",
"proxy-connection":"keep-alive","user-agent":"Chrome WIN 67.0.3396.99 
(a337fbf3c2ab8ebc6b64b0bfdce73a20e2e2252b-refs/branch-heads/3396@{#790}) channel(stable)"},
"host":"clients4.google.com","method":"CONNECT","path":"","scheme":"https"},
"http_response":{"headers":{"content-length":"0"},"status_code":200},"ver":"1.0"}  
malwareName= rt=Jul 29 2018 19:34:11 +0000 policyName=default severity=65 filehash= 
logType=1 dst=172.217.24.206 appName=Google groupName= fname= adDomain= 
gatewayName=on-premise-2040 principalName= downStreamSize=4607 profileName= 
userName=10.204.214.188 src=10.204.214.188 transportBytes=5787
domainName=clients4.google.com cat=Search Engines/Portals act=allow

Log output sample 2:

CEF:0|Trend Micro|Trend Micro Web Security|3.0.0.2051|100000|Access Log|0| 
wrsScore=49 companyID=7800fcab-7611-416c-9ab4-721b7bd6b076 app=1 upStreamSize=501 
userDepartment= scanType=70 malwareType=8 
httpTrans={"http_req":{"headers":{"accept-encoding":"gzip,deflate",
"host":"s3-us-west-2.amazonaws.com","user-agent":"Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99
Safari/537.36","x-forwarded-for":"10.204.214.188"},"host":"s3-us-west-2.amazonaws.com",
"method":"GET","path":"dda-demo-samples/SAMPLE_NICE_DDA_HEURB_1177077.ppt-1",
"scheme":"http"},"http_response":{"headers":{"content-length":"220160",
"content-type":"binary/octet-stream"},"status_code":200},"ver":"1.0"}
malwareName=HEUR_OLEXP.B rt=Aug 06 2018 02:24:15 +0000 policyName=default severity=0
filehash=3f21be4521b5278fb14b8f47afcabe08a17dc504 logType=1 dst=54.231.184.240 
appName=Amazon Web Services (AWS) groupName= fname=sample_nice_dda_heurb_1177077.ppt-1 
adDomain= gatewayName=on-premise-2051 principalName= downStreamSize=220529 
profileName=default userName=10.204.214.188 src=10.204.214.188 transportBytes=221030
domainName=s3-us-west-2.amazonaws.com cat=Malware Accomplice act=analyze
Parent topic: Content Mapping Between TMWS Log Output and CEF Syslog Formats