Using Syslog Forwarder

Control Manager Syslog Forwarder periodically sends the following logs to Syslog servers:
  • Behavior Monitoring
  • Data Loss Prevention
  • Device Access Control
  • Engine update status
  • Pattern update status
  1. Go to the Control Manager root folder.

    C:\Program Files\Trend Micro\Control Manager or

    C:\Program Files (x86)\Trend Micro\Control Manager

  2. Launch DataExportTool.exe.
  3. Configure log receiver settings.
    • Severity: Severity type (default: Notice)

    • IP address: Syslog server address

    • Port: Syslog server port (default: 514)

    • Facility: Syslog facility (default: Local0)

  4. Configure log forwarding settings.
    • Frequency: How often Syslog Forwarder will query Control Manager for logs (default: 12 hours)

    • Logs to forward: Log types (default: no selection)

    • Format: CEF or Control Manager format

      Format

      Details

      CEF (for ArcSight Server)

      • Column names follow the CEF standard.

      • The corresponding Control Manager format keys are defined in the file DataExportTool.exe.config found in the Control Manager root folder.

      • Column values are the original values queried from the Control Manager database.

      Sample data:

      03-02-2015 16:54:15 Local7.Critical 10.1.1.1 March 02 12:54:46 WIN-VM1.trend.com CEF:0|Trend Micro|Control Manager|6.0|700107| Device Access Control Logs|2| rt=Mar 02 2015 12:53:51 GMT+00:00 cs1Label=Product_Entity/Endpoint cs1=OSCE1 shost=tw-a dvchost=ComputerDAC cn1Label=Product cn1=1 sproc=fake SLF_ProcessName fname=DAC_fileName cn2Label=Device_Type cn2=1 cn3Label=Permission cn3=1

      Control Manager format

      • Column values are mapped to the original values queried from the Control Manager database.

      • Mapping rules are defined by Control Manager.

      • Spaces in column names are replaced by underscores (_).

      Sample data:

      March 01 07:41:55 TMCM:700107 Generated="2015-03-01T19:41:41.347" Product_Entity/Endpoint="OSCE1" Endpoint="tw-a" Managing_Server="fake SLF_ComputerName" Product="ScanMail for ccMail" Target_Process="fake SLF_ProcessName" File_Name="fake SLF_FileName" Device_Type="Non-storage USB" Permission="Read and execute"

  5. Click Start.
  6. Check the Last log forwarded data to see the progress.

    When the syslog forwarding task is complete, the Start button is available again.

    If the task is not complete and you want to pause:

    1. a. Click Pause or close the tool.
    2. b. To resume, click Resume. If the tool was closed, open the tool, select log types, and click Resume.