Views:
To use log inspection, perform the steps in the following sections.
Note
Note
You need a Workload license to enable log inspection.
For an overview of the log inspection module, see Analyze logs.

Turn on the log inspection module Parent topic

Procedure

  1. Go to Policies.
  2. Double-click the policy for which you want to enable log inspection.
  3. Click Log Inspection General.
  4. For Log Inspection State, select On.
  5. Click Save.

What to do next

Run a recommendation scan Parent topic

Rules should be set to gather security events relevant to your requirements. When improperly set, events for this feature can overwhelm the Server & Workload Protection database if too many log entries are triggered and stored. Run a recommendation scan on the computer for recommendations about which rules are appropriate to apply.

Procedure

  1. Go to Computers and double-click the appropriate computer.
  2. Click Log Inspection General.
  3. In the Recommendations section, click Scan For Recommendations. Some log inspection rules written by Trend Micro require local configuration to function properly. If you assign one of these rules to your computers or one of these rules gets assigned automatically, an alert will be raised to notify you that configuration is required.

What to do next

For more information about recommendation scans, see Manage and run recommendation scans.

Apply the recommended log inspection rules Parent topic

Server & Workload Protection ships with many pre-defined rules covering a wide variety of operating systems and applications. When you run a recommendation scan, you can choose to have Server & Workload Protection automatically implement the recommended rules, or you can choose to manually select and assign the rules by following the steps below:

Procedure

  1. Go to Policies.
  2. Double-click the policy that you want to configure.
  3. Click Log Inspection General.
  4. In the Assigned Log Inspection Rules section, the rules in effect for the policy are displayed. To add or remove log inspection rules, click Assign/Unassign.
    2016-07-07_000119_DS10=812fe353-f936-46c0-b9ff-3742ef9097b2.png
  5. Select or deselect the checkboxes for the rules you want to assign or unassign. You can edit the log inspection rule by right-clicking the rule and selecting Properties to edit the rule locally or Properties (Global) to apply the changes to all other policies that are using the rule. For more information, see Examine a log inspection rule.
  6. Click OK.

What to do next

Although Server & Workload Protection ships with log inspection rules for many common operating systems and applications, you also have the option to create your own custom rules. To create a custom rule, you can either use the "Basic Rule" template, or you can write your new rule in XML. For information on how to create a custom rule, see Define a log inspection rule for use in policies.

Test Log Inspection Parent topic

Before continuing with further Log Inspection configuration steps, test that the rules are working correctly:

Procedure

  1. Ensure Log Inspection is enabled.
  2. Go to Computer or Policies editor Log Inspection Advanced. Change Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level to Low (3) and click Save.
  3. Go to the General tab, and click Assign/Unassign. Search for and enable:
    • 1002792 - Default Rules Configuration – This is required for all other Log Inspection rules to work.
    If you're a Windows user, enable:
    • 1002795 - Microsoft Windows Events – This logs events every time the Windows auditing functionality registers an event.
    If you're a Linux user, enable:
    • 1002831 - Unix - Syslog - This inspects the syslog for events.
  4. Click OK, and then click Save to apply the rules to the policy.
  5. Attempt to log in to the server with an account that does not exist.
  6. Go to Events & Reports Log Inspection Events to verify the record of the failed login attempt. If the detection is recorded, the Log Inspection module is working correctly.

What to do next

Configure log inspection event forwarding and storage Parent topic

When a log inspection rule is triggered, an event is logged. To view these events, go to Events & Reports Log Inspection Events or Policy editor Log Inspection Log Inspection Events. For more information on working with log inspection events, see Log inspection events.
Depending on the severity of the event, you can choose to send them to a syslog server (For information on enabling this feature, see Forward Server & Workload Protection events to an external syslog or SIEM server.) or to store events in the database by using the severity clipping feature.
There are two "severity clipping" settings available:
  • Send Agent events to syslog when they equal or exceed the following severity level: This setting determines which events triggered by those rules get sent to the syslog server, if syslog is enabled.
  • Store events at the Agent for later retrieval by Workload Security when they equal or exceed the following severity level: This setting determines which Log Inspection events are kept in the database and displayed in the Log Inspection Events page.
To configure severity clipping:

Procedure

  1. Go to Policies.
  2. Double-click the policy you want to configure.
  3. Click Log Inspection Advanced.
  4. For Send Agent/Appliance events to syslog when they equal or exceed the following severity level, choose a severity level between Low (0) and Critical (15).
  5. For Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level, choose a severity level between Low (0) and Critical (15).
  6. Click Save.

What to do next