Views:
In this type of syslog content mapping, provide the CEF Keys field in the format of user-defined-key-1=value-1 user-defined-key-2=value-2 … user-defined-key-n=value-n, in which:
  • user-defined-key is defined by the customer.
  • value can be a variable or a constant value. The variable is formatted as %{variable} and supports the following:
    • Predefined/custom extension CEF keys
      Example: %{rt}, %{wrsScore}
    • HTTP header fields in requests and responses, all in lowercase
      Example: %{user-agent_q} refers to the User-Agent field in a request message; %{content-length_s} refers to the Content-Length field in a response message
This field cannot exceed 2,048 characters.
Note
Note
To comply with the ArcSight CEF standard, Trend Micro recommends separating key-value pairs by a space.
The following table outlines the syslog content mapping between variables and Trend Micro Web Security log output (value).

CEF Access Logs

Variable
Description
Value
Header (logVer)
CEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product name
Trend Micro Web Security
Header (pver)
Appliance version
Example: 3.0.0.2042
Header (eventid)
Signature ID
Example: 100000
Header (eventName)
Description
Access Log
Header (severity)
Risk level
  • 0: act=allow/analyze
  • 1: act=monitor/warn/override
  • 2: act=block
rt
UTC timestamp
Example: Jul 05 2018 07:54:15 +0000
logType
Log type
  • 1: Successful access log
  • 5: Failed HTTPS access log
companyID
Company ID
Example: 7800fcab-7611-416c-9ab4-721b7bd6b076
adDomain
AD domain
Example: trendmicro.com.cn
userName
User name or client IP
Example: 10.204.214.188
groupName
Group name
Example: testgroup1
userDepartment
User department
Example: finance department
gatewayName
Gateway name
Example: on-premise-2051
app
Protocol used
  • 1: HTTP
  • 2: HTTPS
  • 3: HTTP/2
transportBytes
Body size of a request or response
Example: 221030
dst
Destination IP address of a request
Example: 54.231.184.240
src
Source IP address of a request
Example: 10.204.214.188
upStreamSize
Upstream payload from Trend Micro Web Security to server, unit bytes
Example: 501
downStreamSize
Downstream payload from server to Trend Micro Web Security, unit bytes
Example: 220529
domainName
URL domain
Example: clients4.google.com
scanType
Scan type
  • 0: Not match any rule
  • 1: Client certificate is required
  • 2: Untrusted server certificate
  • 10: Approved URLs/Blocked URLs
  • 13: Client not allowed
  • 14: Destination port not allowed
  • 15: Access to private address
  • 20: Web Reputation service
  • 21: URL filtering
  • 30: True file type
  • 33: MIME type
  • 34: File extension name
  • 40: Anti-malware
  • 41: Unscannable files
  • 45: Predictive machine learning
  • 50: Anti-botnet
  • 60: Application control
  • 70: Suspicious Object Analysis (Virtual Analyzer)
  • 90: Suspicious Object Filtering (Virtual Analyzer)
  • 100: Data loss prevention
  • 110: Ransomware
policyName
Policy name
Example: default
profileName
Profile name
Example: default
severity
WRS score threshold
  • 0: WRS is disabled
  • 50: WRS security level=Low
  • 65: WRS security level=Medium
  • 80: WRS security level=high
principalName
Principal name
Example: testuser@trendmicro.com.cn
cat
URL category
Example: Search Engines/Portals
appName
Application name
Example: Google
wrsScore
WRS score
Example: 81
malwareType
Malware type
  • 1: Virus
  • 2: Spyware
  • 3: Joke
  • 4: Trojan
  • 5: Test_Virus
  • 6: Packer
  • 7: Generic
  • 8: Other
  • 9: Botnet
malwareName
Malware name
Example: HEUR_OLEXP.B
fname
File name
Example: sample_nice_dda_heurb_1177077.ppt-1
filehash
SHA-1
Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504
act
Action
  • allow
  • monitor
  • block
  • warn
  • override
  • analyze
httpTrans
HTTP transaction
JSON format. Example:{"http_req":{ "method":"GET","scheme":"http","path":"index.html","host":www.sina.com.cn,"headers":{"header_1":"value_1", ...}},"http_response":{"status_code":"200","headers":{...}}}
method
HTTP method
Example: GET, PUT, POST
version
HTTP version
Example: 1.1
path
HTTP request path
Example: example.html
host
HTTP request host
Example: client2.example.com
status_code
HTTP response status code
Example: 200, 404, 503
Note
Note
The value –1 indicates that the request is blocked or some unexpected situation occurs.
scheme
HTTP or HTTPS protocol
Example: HTTP, HTTPS
url
Combination of scheme, host, and path
Example: https://client2.example.com/example.html
<http-request-header-name>_q
HTTP request header field
Example: User-Agent: Mozilla/5.0
Note
Note
The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security.
The value of the cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log.
<http-response-header-name>_s
HTTP response header field
Example: Content-Length: 348
Note
Note
The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security.
The value of the set-cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log.
Log output sample 1:
Oct 25 08:13:13 10.206.197.112 CEF: 0|Trend Micro|Trend Micro Web Security|3.1.0.2485|100000|Access Log|1|
act=allow app=2 cat=Proxy cn1=0 cn1Label=malwareType cn2=0 cn2Label=scanType cs1=200 cs1Label=ResponseCode cs2=default 
cs2Label=policyName cs3= cs3=encoding cs4= cs4Label=URL Path cs5=https cs5Label=method desinationDnsDomain=login.live.com 
dhost=login.live.com dvchost=roaming user end=Oct 25 2019 08:04:47 +0000 fileHash= fname= in=291 out=122 proto=tcp RequestURL=https://login.live.com:443/ 
requestClientApplication=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 
requestMethod=https shost=10.206.197.110 src=10.206.197.110
Log output sample 2:
Oct 25 08:18:15 10.206.197.112 CEF: 0|Trend Micro|Trend Micro Web Security|3.1.0.2485|100000|Access Log|1|
act=allow app=1 cat=Proxy cn1=0 cn1Label=malwareType cn2=0 cn2Label=scanType cs1=502 cs1Label=ResponseCode cs2=default 
cs2Label=policyName cs3=gzip, deflate cs3=encoding cs4=job/4v20-e2e-ops-an/ cs4Label=URL Path cs5=http cs5Label=method 
desinationDnsDomain=10.202.240.69 dhost=10.202.240.69 dvchost=roaming user end=Oct 25 2019 08:06:24 +0000 fileHash=8aaceef018f9e7cde0b381a9d1237b29e113c1c2 
fname= in=538 out=510 proto=tcp RequestURL=http://10.202.240.69:8080/job/4v20-e2e-ops-an/ 
requestClientApplication=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 
requestMethod=http shost=10.206.197.110 src=10.206.197.110