Syslog Content Mapping Type 2

In this type of syslog content mapping, provide the CEF Keys field in the format of user-defined-key-1=value-1 user-defined-key-2=value-2 … user-defined-key-n=value-n, in which:

  • user-defined-key is defined by the customer.

  • value can be a variable or a constant value. The variable is formatted as %{variable} and supports the following:

    • Predefined/custom extension CEF keys

      Example: %{rt}, %{wrsScore}

    • HTTP header fields in requests and responses, all in lowercase

      Example: %{user-agent_q} refers to the User-Agent field in a request message; %{content-length_s} refers to the Content-Length field in a response message

This field cannot exceed 2,048 characters.

Note:

To comply with the ArcSight CEF standard, Trend Micro recommends separating key-value pairs by a space.

The following table outlines the syslog content mapping between variables and Trend Micro Web Security log output (value).

Table 1. CEF Access Logs

Variable

Description

Value

Header (logVer)

CEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product name

Trend Micro Web Security

Header (pver)

Appliance version

Example: 3.0.0.2042

Header (eventid)

Signature ID

Example: 100000

Header (eventName)

Description

Access Log

Header (severity)

Risk level

  • 0: act=allow/analyze

  • 1: act=monitor/warn/override

  • 2: act=block

rt

UTC timestamp

Example: Jul 05 2018 07:54:15 +0000

logType

Log type

1: Access Log

companyID

Company ID

Example: 7800fcab-7611-416c-9ab4-721b7bd6b076

adDomain

AD domain

Example: trendmicro.com.cn

userName

User name or client IP

Example: 10.204.214.188

groupName

Group name

Example: testgroup1

userDepartment

User department

Example: finance department

gatewayName

Gateway name

Example: on-premise-2051

app

Protocol used

  • 1: HTTP

  • 2: HTTPS

transportBytes

Body size of a request or response

Example: 221030

dst

Destination IP address of a request

Example: 54.231.184.240

src

Source IP address of a request

Example: 10.204.214.188

upStreamSize

Upstream payload from Trend Micro Web Security to server, unit bytes

Example: 501

downStreamSize

Downstream payload from server to Trend Micro Web Security, unit bytes

Example: 220529

domainName

URL domain

Example: clients4.google.com

scanType

Scan type

  • 0: Not match any rule

  • 1: Client certificate is required

  • 2: Untrusted server certificate

  • 10: Approved URLs/Blocked URLs

  • 13: Client not allowed

  • 14: Destination port not allowed

  • 15: Access to private address

  • 20: Web Reputation service

  • 30: True file type

  • 33: MIME type

  • 34: File extension name

  • 40: Anti-malware

  • 41: Unscannable files

  • 45: Predictive machine learning

  • 50: Anti-botnet

  • 60: Application control

  • 70: Suspicious Object Analysis (Virtual Analyzer)

  • 90: Suspicious Object Filtering (Virtual Analyzer)

  • 100: Data loss prevention

  • 110: Ransomware

policyName

Policy name

Example: default

profileName

Profile name

Example: default

severity

WRS score threshold

  • 0: WRS is disabled

  • 50: WRS security level=Low

  • 65: WRS security level=Medium

  • 80: WRS security level=high

principalName

Principal name

Example: testuser@trendmicro.com.cn

cat

URL category

Example: Search Engines/Portals

appName

Application name

Example: Google

wrsScore

WRS score

Example: 81

malwareType

Malware type

  • 1: Virus

  • 2: Spyware

  • 3: Joke

  • 4: Trojan

  • 5: Test_Virus

  • 6: Packer

  • 7: Generic

  • 8: Other

  • 9: Botnet

malwareName

Malware name

Example: HEUR_OLEXP.B

fname

File name

Example: sample_nice_dda_heurb_1177077.ppt-1

filehash

SHA-1

Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504

act

Action

  • allow

  • monitor

  • block

  • warn

  • override

  • analyze

httpTrans

HTTP transaction

JSON format. Example:{"http_req":{ "method":"GET","scheme":"http","path":"index.html","host":www.sina.com.cn,"headers":{"header_1":"value_1", ...}},"http_response":{"status_code":"200","headers":{...}}}

method

HTTP method

Example: GET, PUT, POST

version

HTTP version

Example: 1.1

path

HTTP request path

Example: example.html

host

HTTP request host

Example: client2.example.com

status_code

HTTP response status code

Example: 200, 404, 503

scheme

HTTP or HTTPS protocol

Example: HTTP, HTTPS

url

Combination of scheme, host, and path

Example: https://client2.example.com/example.html

<http-request-header-name>_q

HTTP request header field

Example: User-Agent: Mozilla/5.0

Note:

The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security.

The value of the cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log.

<http-response-header-name>_s

HTTP response header field

Example: Content-Length: 348

Note:

The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security.

The value of the set-cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log.

Access log output sample 1:

Oct 25 08:13:13 10.206.197.112 CEF: 0|Trend Micro|Trend Micro Web Security|3.1.0.2485|100000|Access Log|1|
act=allow app=2 cat=Proxy cn1=0 cn1Label=malwareType cn2=0 cn2Label=scanType cs1=200 cs1Label=ResponseCode cs2=default 
cs2Label=policyName cs3= cs3=encoding cs4= cs4Label=URL Path cs5=https cs5Label=method desinationDnsDomain=login.live.com 
dhost=login.live.com dvchost=roaming user end=1571990687 fileHash= fname= in=291 out=122 proto=tcp RequestURL=https://login.live.com:443/ 
requestClientApplication=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 
requestMethod=https shost=10.206.197.110 src=10.206.197.110

Access log output sample 2:

Oct 25 08:18:15 10.206.197.112 CEF: 0|Trend Micro|Trend Micro Web Security|3.1.0.2485|100000|Access Log|1|
act=allow app=1 cat=Proxy cn1=0 cn1Label=malwareType cn2=0 cn2Label=scanType cs1=502 cs1Label=ResponseCode cs2=default 
cs2Label=policyName cs3=gzip, deflate cs3=encoding cs4=job/4v20-e2e-ops-an/ cs4Label=URL Path cs5=http cs5Label=method 
desinationDnsDomain=10.202.240.69 dhost=10.202.240.69 dvchost=roaming user end=1571990784 fileHash=8aaceef018f9e7cde0b381a9d1237b29e113c1c2 
fname= in=538 out=510 proto=tcp RequestURL=http://10.202.240.69:8080/job/4v20-e2e-ops-an/ 
requestClientApplication=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 
requestMethod=http shost=10.206.197.110 src=10.206.197.110
Table 2. CEF Audit Logs

CEF Key

Description

Value

Header (logVer)

CEF format version

CEF: 0

Header (vendor)

Appliance vendor

Trend Micro

Header (pname)

Appliance product name

Trend Micro Web Security

Header (pver)

Appliance version

Example: 3.4.1.5449

Header (eventid)

Signature ID

Example: 100001

Header (eventName)

Description

Audit Log

Header (severity)

Risk level

0

rt

UTC timestamp

Example: Nov 04 2020 02:15:06 +0000

userName

Email address

Example: user@example.com

companyID

Company ID

Example: 7800fcab-7611-416c-9ab4-721b7bd6b076

logType

Log type

3: Audit Log

act

Administrative operation

Example: Administrator Log On

httpTrans

Detailed operation information

See the output samples below

Note:

The other CEF keys not listed in the table are not available for audit logs. Therefore, they will be set to null if configured in CEF keys.

Audit log output sample 1:

Nov 2 09:57:55 ad173.onmicrosoft.com CEF: 0|Trend Micro|Trend Micro Web Security|
3.4.1.5440|100001|Audit Log|0|rt=Nov 02 2020 09:49:58 +0000 src= dest= site= score= category= 
app= url= http_user_agent= status= bytes_out= bytes_in= user=admin@trendmicro.com.cn 
companyid=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 action=Save Cloud Syslog Forwarding Setting 
content={"ip": "10.206.197.117", "contentFormat": "rt=%{rt} src=%{src} dest=%{dst} site=%{domainName} 
score=%{wrsScore} category=%{cat} app=%{appName} url=%{url} http_user_agent=%{user-agent_q} 
status=%{status_code} bytes_out=%{downStreamSize} bytes_in=%{upStreamSize} user=%{userName} 
companyid=%{companyID} action=%{act} content=%{httpTrans}", "enable": 1, "port": 8514}

Audit log output sample 2:

Nov 2 09:57:55 ad173.onmicrosoft.com CEF: 0|Trend Micro|Trend Micro Web Security|
3.4.1.5440|100001|Audit Log|0|rt=Nov 02 2020 09:50:13 +0000 src= dest= site= score= category= 
app= url= http_user_agent= status= bytes_out= bytes_in= user=admin@trendmicro.com.cn 
companyid=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 action=Delete Hosted User 
content="data=H:user-160144443485@trendmicro.com.cn"