Views:

In this type of syslog content mapping, provide the CEF Keys field in the format of {CEF Key 1}|{CEF Key 2}|...|{CEF Key n}, separated by a "|".

The following table outlines the syslog content mapping between predefined/custom extension CEF keys and Trend Micro Web Security log output (value).

Table 1. CEF Access Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product name

Trend Micro Web Security

Header (pver)

Appliance version

Example: 3.0.0.2042

Header (eventid)

Signature ID

Example: 100000

Header (eventName)

Description

Access Log

Header (severity)

Risk level

  • 0: act=allow/analyze

  • 1: act=monitor/warn/override

  • 2: act=block

rt

UTC timestamp

Example: Jul 05 2018 07:54:15 +0000

logType

Log type

  • 1: Successful access log

  • 5: Failed HTTPS access log

companyID

Company ID

Example: 7800fcab-7611-416c-9ab4-721b7bd6b076

adDomain

AD domain

Example: trendmicro.com.cn

userName

User name or client IP

Example: 10.204.214.188

groupName

Group name

Example: testgroup1

userDepartment

User department

Example: finance department

gatewayName

Gateway name

Example: on-premise-2051

app

Protocol used

  • 1: HTTP

  • 2: HTTPS

  • 3: HTTP/2

transportBytes

Body size of a request or response

Example: 221030

dst

Destination IP address of a request

Example: 54.231.184.240

src

Source IP address of a request

Example: 10.204.214.188

upStreamSize

Upstream payload from Trend Micro Web Security to server, unit bytes

Example: 501

downStreamSize

Downstream payload from server to Trend Micro Web Security, unit bytes

Example: 220529

domainName

URL domain

Example: clients4.google.com

scanType

Scan type

  • 0: Not match any rule

  • 1: Client certificate is required

  • 2: Untrusted server certificate

  • 10: Approved URLs/Blocked URLs

  • 13: Client not allowed

  • 14: Destination port not allowed

  • 15: Access to private address

  • 20: Web Reputation service

  • 21: URL filtering

  • 30: True file type

  • 33: MIME type

  • 34: File extension name

  • 40: Anti-malware

  • 41: Unscannable files

  • 45: Predictive machine learning

  • 50: Anti-botnet

  • 60: Application control

  • 70: Suspicious Object Analysis (Virtual Analyzer)

  • 90: Suspicious Object Filtering (Virtual Analyzer)

  • 100: Data loss prevention

  • 110: Ransomware

policyName

Policy name

Example: default

profileName

Profile name

Example: default

severity

WRS score threshold

  • 0: WRS is disabled

  • 50: WRS security level=Low

  • 65: WRS security level=Medium

  • 80: WRS security level=high

principalName

Principal name

Example: testuser@trendmicro.com.cn

cat

URL category

Example: Search Engines/Portals

appName

Application name

Example: Google

wrsScore

WRS score

Example: 81

malwareType

Malware type

  • 1: Virus

  • 2: Spyware

  • 3: Joke

  • 4: Trojan

  • 5: Test_Virus

  • 6: Packer

  • 7: Generic

  • 8: Other

  • 9: Botnet

malwareName

Malware name

Example: HEUR_OLEXP.B

fname

File name

Example: sample_nice_dda_heurb_1177077.ppt-1

filehash

SHA-1

Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504

act

Action

  • allow

  • monitor

  • block

  • warn

  • override

  • analyze

httpTrans

HTTP transaction

JSON format. Example:{"http_req":{ "method":"GET","scheme":"http","path":"index.html","host":www.sina.com.cn,"headers":{"header_1":"value_1", ...}},"http_response":{"status_code":"200","headers":{...}}}

macAddress

MAC address of the Windows endpoint with the Enforcement Agent installed

Example: 00-50-56-89-02-14

Note:

This CEF key cannot be applied to the on-premises gateway.

Access log output sample 1:

CEF:0|Trend Micro|Trend Micro Web Security|3.0.0.2040|100000|Access Log|0| 
wrsScore=81 macAddress=00-50-56-89-02-14 companyID=7800fcab-7611-416c-9ab4-721b7bd6b076 app=2 
upStreamSize=1064 userDepartment= scanType=0 malwareType=0 
httpTrans={"http_req":{"headers":{"host":"clients4.google.com:443",
"proxy-connection":"keep-alive","user-agent":"Chrome WIN 67.0.3396.99 
(a337fbf3c2ab8ebc6b64b0bfdce73a20e2e2252b-refs/branch-heads/3396@{#790}) channel(stable)"},
"host":"clients4.google.com","method":"CONNECT","path":"","scheme":"https"},
"http_response":{"headers":{"content-length":"0"},"status_code":200},"ver":"1.0"}  
malwareName= rt=Jul 29 2018 19:34:11 +0000 policyName=default severity=65 filehash= 
logType=1 dst=172.217.24.206 appName=Google groupName= fname= adDomain= 
gatewayName=on-premise-2040 principalName= downStreamSize=4607 profileName= 
userName=10.204.214.188 src=10.204.214.188 transportBytes=5787
domainName=clients4.google.com cat=Search Engines/Portals act=allow

Access log output sample 2:

CEF:0|Trend Micro|Trend Micro Web Security|3.0.0.2051|100000|Access Log|0| 
wrsScore=49 macAddress=00-50-56-89-02-14 companyID=7800fcab-7611-416c-9ab4-721b7bd6b076 
app=1 upStreamSize=501 userDepartment= scanType=70 malwareType=8 
httpTrans={"http_req":{"headers":{"accept-encoding":"gzip,deflate",
"host":"s3-us-west-2.amazonaws.com","user-agent":"Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99
Safari/537.36","x-forwarded-for":"10.204.214.188"},"host":"s3-us-west-2.amazonaws.com",
"method":"GET","path":"dda-demo-samples/SAMPLE_NICE_DDA_HEURB_1177077.ppt-1",
"scheme":"http"},"http_response":{"headers":{"content-length":"220160",
"content-type":"binary/octet-stream"},"status_code":200},"ver":"1.0"}
malwareName=HEUR_OLEXP.B rt=Aug 06 2018 02:24:15 +0000 policyName=default severity=0
filehash=3f21be4521b5278fb14b8f47afcabe08a17dc504 logType=1 dst=54.231.184.240 
appName=Amazon Web Services (AWS) groupName= fname=sample_nice_dda_heurb_1177077.ppt-1 
adDomain= gatewayName=on-premise-2051 principalName= downStreamSize=220529 
profileName=default userName=10.204.214.188 src=10.204.214.188 transportBytes=221030
domainName=s3-us-west-2.amazonaws.com cat=Malware Accomplice act=analyze
Table 2. CEF Audit Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product name

Trend Micro Web Security

Header (pver)

Appliance version

Example: 3.4.1.5449

Header (eventid)

Signature ID

Example: 100001

Header (eventName)

Description

Audit Log

Header (severity)

Risk level

0

rt

UTC timestamp

Example: Nov 04 2020 02:15:06 +0000

userName

Email address

Example: user@example.com

companyID

Company ID

Example: 7800fcab-7611-416c-9ab4-721b7bd6b076

logType

Log type

3: Audit Log

act

Administrative operation

Example: Administrator Log On

httpTrans

Detailed operation information

See the output samples below
Note:

The other CEF keys not listed in the table are not available for audit logs. Therefore, they will not be in the output if configured in CEF keys.

Audit log output sample 1:

Nov 20 07:59:31 10.206.197.118 CEF: 0|Trend Micro|Trend Micro Web Security|
3.4.1.5478|100001|Audit Log|0|userName=admin@trendmicro.com.cn rt=Nov 20 2020 07:58:15 +0000 
companyID=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 httpTrans={"userName": "test2", "role": "admin", 
"groups": [], "department": "H:5fa006fc-02e0-11eb-8042-005056897f14", "password": "******", 
"email": "test2@trendmicro.com.cn"} logType=3 act=Add Hosted User

Audit log output sample 2:

Nov 20 07:49:32 10.206.197.118 CEF: 0|Trend Micro|Trend Micro Web Security|
3.4.1.5478|100001|Audit Log|0|userName=admin@trendmicro.com.cn rt=Nov 20 2020 07:47:50 +0000 
companyID=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 httpTrans={"password": "******", 
"userId": "admin@trendmicro.com.cn", "tenantId": "tm"} logType=3 act=Administrator Log On
Parent topic: Content Mapping Between TMWS Log Output and CEF Syslog Formats