In this type of syslog content mapping, provide the CEF Keys field in the format of user-defined-key-1=value-1 user-defined-key-2=value-2 … user-defined-key-n=value-n, in which:
-
user-defined-key is defined by the customer.
-
value can be a variable or a constant value. The variable is formatted as %{variable} and supports the following:
-
Predefined/custom extension CEF keys
Example: %{rt}, %{wrsScore}
-
HTTP header fields in requests and responses, all in lowercase
Example: %{user-agent_q} refers to the User-Agent field in a request message; %{content-length_s} refers to the Content-Length field in a response message
-
This field cannot exceed 2,048 characters.
To comply with the ArcSight CEF standard, Trend Micro recommends separating key-value pairs by a space.
The following table outlines the syslog content mapping between variables and Trend Micro Web Security log output (value).
|
Variable |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF: 0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product name |
Trend Micro Web Security |
|
Header (pver) |
Appliance version |
Example: 3.0.0.2042 |
|
Header (eventid) |
Signature ID |
Example: 100000 |
|
Header (eventName) |
Description |
Access Log |
|
Header (severity) |
Risk level |
|
|
rt |
UTC timestamp |
Example: Jul 05 2018 07:54:15 +0000 |
|
logType |
Log type |
|
|
companyID |
Company ID |
Example: 7800fcab-7611-416c-9ab4-721b7bd6b076 |
|
adDomain |
AD domain |
Example: trendmicro.com.cn |
|
userName |
User name or client IP |
Example: 10.204.214.188 |
|
groupName |
Group name |
Example: testgroup1 |
|
userDepartment |
User department |
Example: finance department |
|
gatewayName |
Gateway name |
Example: on-premise-2051 |
|
app |
Protocol used |
|
|
transportBytes |
Body size of a request or response |
Example: 221030 |
|
dst |
Destination IP address of a request |
Example: 54.231.184.240 |
|
src |
Source IP address of a request |
Example: 10.204.214.188 |
|
upStreamSize |
Upstream payload from Trend Micro Web Security to server, unit bytes |
Example: 501 |
|
downStreamSize |
Downstream payload from server to Trend Micro Web Security, unit bytes |
Example: 220529 |
|
domainName |
URL domain |
Example: clients4.google.com |
|
scanType |
Scan type |
|
|
policyName |
Policy name |
Example: default |
|
profileName |
Profile name |
Example: default |
|
severity |
WRS score threshold |
|
|
principalName |
Principal name |
Example: testuser@trendmicro.com.cn |
|
cat |
URL category |
Example: Search Engines/Portals |
|
appName |
Application name |
Example: Google |
|
wrsScore |
WRS score |
Example: 81 |
|
malwareType |
Malware type |
|
|
malwareName |
Malware name |
Example: HEUR_OLEXP.B |
|
fname |
File name |
Example: sample_nice_dda_heurb_1177077.ppt-1 |
|
filehash |
SHA-1 |
Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504 |
|
act |
Action |
|
|
httpTrans |
HTTP transaction |
JSON format. Example:{"http_req":{ "method":"GET","scheme":"http","path":"index.html","host":www.sina.com.cn,"headers":{"header_1":"value_1", ...}},"http_response":{"status_code":"200","headers":{...}}} |
|
method |
HTTP method |
Example: GET, PUT, POST |
|
version |
HTTP version |
Example: 1.1 |
|
path |
HTTP request path |
Example: example.html |
|
host |
HTTP request host |
Example: client2.example.com |
|
status_code |
HTTP response status code |
Example: 200, 404, 503 Note:
The value –1 indicates that the request is blocked or some unexpected situation occurs. |
|
scheme |
HTTP or HTTPS protocol |
Example: HTTP, HTTPS |
|
url |
Combination of scheme, host, and path |
Example: https://client2.example.com/example.html |
|
<http-request-header-name>_q |
HTTP request header field |
Example: User-Agent: Mozilla/5.0 Note:
The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security. The value of the cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log. |
|
<http-response-header-name>_s |
HTTP response header field |
Example: Content-Length: 348 Note:
The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security. The value of the set-cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log. |
|
macAddress |
MAC address of the Windows endpoint with the Enforcement Agent installed |
Example: 00-50-56-89-02-14 Note:
This CEF key cannot be applied to the on-premises gateway. |
Access log output sample 1:
May 23 03:09:30 10.206.197.102 CEF: 0|Trend Micro|Trend Micro Web Security|3.7.5.5642|100000|Access Log|1|rt=May 23 2022 03:00:22 +0000
logType=1 companyId=e3cdd29e-11aa-4e20-bd4d-180dd3a6e938 adDomain=e2e-uw2-hybrid.com
user=admin group= dep= device=roaming user application=2 traffic=466 dst=172.217.14.202 src=3.94.52.82 inbound=335
outbound=131 domain=optimizationguide-pa.googleapis.com scanType=0 policy=block-all profile= severity=0
principalname=admin@e2e-uw2-hybrid.com cat=Computers/Internet appName=The Secure HyperText Transfer Protocol wrs=81
malwareType=0 malwareName= filename= filehash= action=allow httpTrans={"http_req": {"body_len": 0, "headers":
{"host": "optimizationguide-pa.googleapis.com:443", "proxy-connection": "keep-alive", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36"}, "host": "optimizationguide-pa.googleapis.com",
"version": "1.1", "path": "", "scheme": "https", "method": "CONNECT"}, "ver": "1.1", "http_response": {"body_len": 0, "headers":
{"true-file-type": "0", "via": "http/1.1 localhost.localdomain.test1 (TMWS)", "proxy-connection": "close"}, "version": "1.1",
"status_code": 200}} method=CONNECT httpversion=1.1 path= host=optimizationguide-pa.googleapis.com status_code=200 scheme=https
RequestUrl=https://optimizationguide-pa.googleapis.com:443/ macAddress=00-50-56-89-02-14
Access log output sample 2:
May 23 06:59:33 10.206.197.102 CEF: 0|Trend Micro|Trend Micro Web Security|3.7.5.5642|100000|Access Log|1|rt=May 23 2022 06:52:28 +0000
logType=1 companyId=e3cdd29e-11aa-4e20-bd4d-180dd3a6e938 adDomain=e2e-uw2-hybrid.com user=admin
group= dep= device=roaming user application=1 traffic=0 dst=104.193.88.77 src=3.94.52.82 inbound=0 outbound=0 domain=www.baidu.com
scanType=60 policy=block-all profile= severity=0 principalname=admin@e2e-uw2-hybrid.com cat=Computers/Internet appName=Baidu
wrs=81 malwareType=0 malwareName= filename= filehash= action=block httpTrans={"http_req": {"body_len": 0, "headers":
{"accept-language": "en-US,en;q\=0.9", "accept-encoding": "gzip, deflate", "accept":
"text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,*/*;q\=0.8,application/signed-exchange;v\=b3;q\=0.9",
"upgrade-insecure-requests": "1", "host": "www.baidu.com", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36", "proxy-connection": "keep-alive"}, "host": "www.baidu.com",
"version": "1.1", "path": "/", "scheme": "http", "method": "GET"}, "ver": "1.1", "http_response": {"body_len": 0, "headers":
{"true-file-type": "0"}, "version": "", "status_code": -1}} method=GET httpversion=1.1 path=/ host=www.baidu.com status_code=-1 scheme=http
RequestUrl=http://www.baidu.com/ macAddress=00-50-56-89-02-14
|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF: 0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product name |
Trend Micro Web Security |
|
Header (pver) |
Appliance version |
Example: 3.4.1.5449 |
|
Header (eventid) |
Signature ID |
Example: 100001 |
|
Header (eventName) |
Description |
Audit Log |
|
Header (severity) |
Risk level |
0 |
|
rt |
UTC timestamp |
Example: Nov 04 2020 02:15:06 +0000 |
|
userName |
Email address |
Example: user@example.com |
|
companyID |
Company ID |
Example: 7800fcab-7611-416c-9ab4-721b7bd6b076 |
|
logType |
Log type |
3: Audit Log |
|
act |
Administrative operation |
Example: Administrator Log On |
|
httpTrans |
Detailed operation information |
See the output samples below |
The other CEF keys not listed in the table are not available for audit logs. Therefore, they will be set to null if configured in CEF keys.
Audit log output sample 1:
Nov 2 09:57:55 ad173.onmicrosoft.com CEF: 0|Trend Micro|Trend Micro Web Security|
3.4.1.5440|100001|Audit Log|0|rt=Nov 02 2020 09:49:58 +0000 src= dest= site= score= category=
app= url= http_user_agent= status= bytes_out= bytes_in= user=admin@trendmicro.com.cn
companyid=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 action=Save Cloud Syslog Forwarding Setting
content={"ip": "10.206.197.117", "contentFormat": "rt=%{rt} src=%{src} dest=%{dst} site=%{domainName}
score=%{wrsScore} category=%{cat} app=%{appName} url=%{url} http_user_agent=%{user-agent_q}
status=%{status_code} bytes_out=%{downStreamSize} bytes_in=%{upStreamSize} user=%{userName}
companyid=%{companyID} action=%{act} content=%{httpTrans}", "enable": 1, "port": 8514}
Audit log output sample 2:
Nov 2 09:57:55 ad173.onmicrosoft.com CEF: 0|Trend Micro|Trend Micro Web Security| 3.4.1.5440|100001|Audit Log|0|rt=Nov 02 2020 09:50:13 +0000 src= dest= site= score= category= app= url= http_user_agent= status= bytes_out= bytes_in= user=admin@trendmicro.com.cn companyid=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 action=Delete Hosted User content="data=H:user-160144443485@trendmicro.com.cn"