In this type of syslog content mapping, provide the CEF Keys field in the format of user-defined-key-1=value-1 user-defined-key-2=value-2 … user-defined-key-n=value-n, in which:
-
user-defined-key is defined by the customer.
-
value can be a variable or a constant value. The variable is formatted as %{variable} and supports the following:
-
Predefined/custom extension CEF keys
Example: %{rt}, %{wrsScore}
-
HTTP header fields in requests and responses, all in lowercase
Example: %{user-agent_q} refers to the User-Agent field in a request message; %{content-length_s} refers to the Content-Length field in a response message
-
This field cannot exceed 2,048 characters.
To comply with the ArcSight CEF standard, Trend Micro recommends separating key-value pairs by a space.
The following table outlines the syslog content mapping between variables and Trend Micro Web Security log output (value).
|
Variable |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF: 0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product name |
Trend Micro Web Security |
|
Header (pver) |
Appliance version |
Example: 3.0.0.2042 |
|
Header (eventid) |
Signature ID |
Example: 100000 |
|
Header (eventName) |
Description |
Access Log |
|
Header (severity) |
Risk level |
|
|
rt |
UTC timestamp |
Example: Jul 05 2018 07:54:15 +0000 |
|
logType |
Log type |
|
|
companyID |
Company ID |
Example: 7800fcab-7611-416c-9ab4-721b7bd6b076 |
|
adDomain |
AD domain |
Example: trendmicro.com.cn |
|
userName |
User name or client IP |
Example: 10.204.214.188 |
|
groupName |
Group name |
Example: testgroup1 |
|
userDepartment |
User department |
Example: finance department |
|
gatewayName |
Gateway name |
Example: on-premise-2051 |
|
app |
Protocol used |
|
|
transportBytes |
Body size of a request or response |
Example: 221030 |
|
dst |
Destination IP address of a request |
Example: 54.231.184.240 |
|
src |
Source IP address of a request |
Example: 10.204.214.188 |
|
upStreamSize |
Upstream payload from Trend Micro Web Security to server, unit bytes |
Example: 501 |
|
downStreamSize |
Downstream payload from server to Trend Micro Web Security, unit bytes |
Example: 220529 |
|
domainName |
URL domain |
Example: clients4.google.com |
|
scanType |
Scan type |
|
|
policyName |
Policy name |
Example: default |
|
profileName |
Profile name |
Example: default |
|
severity |
WRS score threshold |
|
|
principalName |
Principal name |
Example: testuser@trendmicro.com.cn |
|
cat |
URL category |
Example: Search Engines/Portals |
|
appName |
Application name |
Example: Google |
|
wrsScore |
WRS score |
Example: 81 |
|
malwareType |
Malware type |
|
|
malwareName |
Malware name |
Example: HEUR_OLEXP.B |
|
fname |
File name |
Example: sample_nice_dda_heurb_1177077.ppt-1 |
|
filehash |
SHA-1 |
Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504 |
|
act |
Action |
|
|
httpTrans |
HTTP transaction |
JSON format. Example:{"http_req":{ "method":"GET","scheme":"http","path":"index.html","host":www.sina.com.cn,"headers":{"header_1":"value_1", ...}},"http_response":{"status_code":"200","headers":{...}}} |
|
method |
HTTP method |
Example: GET, PUT, POST |
|
version |
HTTP version |
Example: 1.1 |
|
path |
HTTP request path |
Example: example.html |
|
host |
HTTP request host |
Example: client2.example.com |
|
status_code |
HTTP response status code |
Example: 200, 404, 503 Note:
The value –1 indicates that the request is blocked or some unexpected situation occurs. |
|
scheme |
HTTP or HTTPS protocol |
Example: HTTP, HTTPS |
|
url |
Combination of scheme, host, and path |
Example: https://client2.example.com/example.html |
|
<http-request-header-name>_q |
HTTP request header field |
Example: User-Agent: Mozilla/5.0 Note:
The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security. The value of the cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log. |
|
<http-response-header-name>_s |
HTTP response header field |
Example: Content-Length: 348 Note:
The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security. The value of the set-cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log. |
Log output sample 1:
Oct 25 08:13:13 10.206.197.112 CEF: 0|Trend Micro|Trend Micro Web Security|3.1.0.2485|100000|Access Log|1| act=allow app=2 cat=Proxy cn1=0 cn1Label=malwareType cn2=0 cn2Label=scanType cs1=200 cs1Label=ResponseCode cs2=default cs2Label=policyName cs3= cs3=encoding cs4= cs4Label=URL Path cs5=https cs5Label=method desinationDnsDomain=login.live.com dhost=login.live.com dvchost=roaming user end=Oct 25 2019 08:04:47 +0000 fileHash= fname= in=291 out=122 proto=tcp RequestURL=https://login.live.com:443/ requestClientApplication=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 requestMethod=https shost=10.206.197.110 src=10.206.197.110
Log output sample 2:
Oct 25 08:18:15 10.206.197.112 CEF: 0|Trend Micro|Trend Micro Web Security|3.1.0.2485|100000|Access Log|1| act=allow app=1 cat=Proxy cn1=0 cn1Label=malwareType cn2=0 cn2Label=scanType cs1=502 cs1Label=ResponseCode cs2=default cs2Label=policyName cs3=gzip, deflate cs3=encoding cs4=job/4v20-e2e-ops-an/ cs4Label=URL Path cs5=http cs5Label=method desinationDnsDomain=10.202.240.69 dhost=10.202.240.69 dvchost=roaming user end=Oct 25 2019 08:06:24 +0000 fileHash=8aaceef018f9e7cde0b381a9d1237b29e113c1c2 fname= in=538 out=510 proto=tcp RequestURL=http://10.202.240.69:8080/job/4v20-e2e-ops-an/ requestClientApplication=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 requestMethod=http shost=10.206.197.110 src=10.206.197.110