Views:
In this type of syslog content mapping, provide the CEF Keys field in the format of {CEF Key 1}|{CEF Key 2}|...|{CEF Key n}, separated by a "|".
The following table outlines the syslog content mapping between predefined/custom extension CEF keys and Trend Micro Web Security log output (value).

CEF Access Logs

CEF Key
Description
Value
Header (logVer)
CEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product name
Trend Micro Web Security
Header (pver)
Appliance version
Example: 3.0.0.2042
Header (eventid)
Signature ID
Example: 100000
Header (eventName)
Description
Access Log
Header (severity)
Risk level
  • 0: act=allow/analyze
  • 1: act=monitor/warn/override
  • 2: act=block
rt
UTC timestamp
Example: Jul 05 2018 07:54:15 +0000
logType
Log type
  • 1: Successful access log
  • 5: Failed HTTPS access log
companyID
Company ID
Example: 7800fcab-7611-416c-9ab4-721b7bd6b076
adDomain
AD domain
Example: trendmicro.com.cn
userName
User name or client IP
Example: 10.204.214.188
groupName
Group name
Example: testgroup1
userDepartment
User department
Example: finance department
gatewayName
Gateway name
Example: on-premise-2051
app
Protocol used
  • 1: HTTP
  • 2: HTTPS
  • 3: HTTP/2
transportBytes
Body size of a request or response
Example: 221030
dst
Destination IP address of a request
Example: 54.231.184.240
src
Source IP address of a request
Example: 10.204.214.188
upStreamSize
Upstream payload from Trend Micro Web Security to server, unit bytes
Example: 501
downStreamSize
Downstream payload from server to Trend Micro Web Security, unit bytes
Example: 220529
domainName
URL domain
Example: clients4.google.com
scanType
Scan type
  • 0: Not match any rule
  • 1: Client certificate is required
  • 2: Untrusted server certificate
  • 10: Approved URLs/Blocked URLs
  • 13: Client not allowed
  • 14: Destination port not allowed
  • 15: Access to private address
  • 20: Web Reputation service
  • 21: URL filtering
  • 30: True file type
  • 33: MIME type
  • 34: File extension name
  • 40: Anti-malware
  • 41: Unscannable files
  • 45: Predictive machine learning
  • 50: Anti-botnet
  • 60: Application control
  • 70: Suspicious Object Analysis (Virtual Analyzer)
  • 90: Suspicious Object Filtering (Virtual Analyzer)
  • 100: Data loss prevention
  • 110: Ransomware
policyName
Policy name
Example: default
profileName
Profile name
Example: default
severity
WRS score threshold
  • 0: WRS is disabled
  • 50: WRS security level=Low
  • 65: WRS security level=Medium
  • 80: WRS security level=high
principalName
Principal name
Example: testuser@trendmicro.com.cn
cat
URL category
Example: Search Engines/Portals
appName
Application name
Example: Google
wrsScore
WRS score
Example: 81
malwareType
Malware type
  • 1: Virus
  • 2: Spyware
  • 3: Joke
  • 4: Trojan
  • 5: Test_Virus
  • 6: Packer
  • 7: Generic
  • 8: Other
  • 9: Botnet
malwareName
Malware name
Example: HEUR_OLEXP.B
fname
File name
Example: sample_nice_dda_heurb_1177077.ppt-1
filehash
SHA-1
Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504
act
Action
  • allow
  • monitor
  • block
  • warn
  • override
  • analyze
httpTrans
HTTP transaction
JSON format. Example:{"http_req":{ "method":"GET","scheme":"http","path":"index.html","host":www.sina.com.cn,"headers":{"header_1":"value_1", ...}},"http_response":{"status_code":"200","headers":{...}}}
Log output sample 1:
CEF:0|Trend Micro|Trend Micro Web Security|3.0.0.2040|100000|Access Log|0| 
wrsScore=81 companyID=7800fcab-7611-416c-9ab4-721b7bd6b076 app=2 upStreamSize=1064 
userDepartment= scanType=0 malwareType=0 
httpTrans={"http_req":{"headers":{"host":"clients4.google.com:443",
"proxy-connection":"keep-alive","user-agent":"Chrome WIN 67.0.3396.99 
(a337fbf3c2ab8ebc6b64b0bfdce73a20e2e2252b-refs/branch-heads/3396@{#790}) channel(stable)"},
"host":"clients4.google.com","method":"CONNECT","path":"","scheme":"https"},
"http_response":{"headers":{"content-length":"0"},"status_code":200},"ver":"1.0"}  
malwareName= rt=Jul 29 2018 19:34:11 +0000 policyName=default severity=65 filehash= 
logType=1 dst=172.217.24.206 appName=Google groupName= fname= adDomain= 
gatewayName=on-premise-2040 principalName= downStreamSize=4607 profileName= 
userName=10.204.214.188 src=10.204.214.188 transportBytes=5787
domainName=clients4.google.com cat=Search Engines/Portals act=allow
Log output sample 2:
CEF:0|Trend Micro|Trend Micro Web Security|3.0.0.2051|100000|Access Log|0| 
wrsScore=49 companyID=7800fcab-7611-416c-9ab4-721b7bd6b076 app=1 upStreamSize=501 
userDepartment= scanType=70 malwareType=8 
httpTrans={"http_req":{"headers":{"accept-encoding":"gzip,deflate",
"host":"s3-us-west-2.amazonaws.com","user-agent":"Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99
Safari/537.36","x-forwarded-for":"10.204.214.188"},"host":"s3-us-west-2.amazonaws.com",
"method":"GET","path":"dda-demo-samples/SAMPLE_NICE_DDA_HEURB_1177077.ppt-1",
"scheme":"http"},"http_response":{"headers":{"content-length":"220160",
"content-type":"binary/octet-stream"},"status_code":200},"ver":"1.0"}
malwareName=HEUR_OLEXP.B rt=Aug 06 2018 02:24:15 +0000 policyName=default severity=0
filehash=3f21be4521b5278fb14b8f47afcabe08a17dc504 logType=1 dst=54.231.184.240 
appName=Amazon Web Services (AWS) groupName= fname=sample_nice_dda_heurb_1177077.ppt-1 
adDomain= gatewayName=on-premise-2051 principalName= downStreamSize=220529 
profileName=default userName=10.204.214.188 src=10.204.214.188 transportBytes=221030
domainName=s3-us-west-2.amazonaws.com cat=Malware Accomplice act=analyze