Syslog Content Mapping Type 2
In this type of syslog content mapping, provide the CEF Keys field in the format of user-defined-key-1=value-1 user-defined-key-2=value-2 … user-defined-key-n=value-n, in which:
-
user-defined-key is defined by the customer.
-
value can be a variable or a constant value. The variable is formatted as %{variable} and supports the following:
-
Predefined/custom extension CEF keys
Example: %{rt}, %{wrsScore}
-
HTTP header fields in requests and responses, all in lowercase
Example: %{user-agent_q} refers to the User-Agent field in a request message; %{content-length_s} refers to the Content-Length field in a response message
-
This field cannot exceed 2,048 characters.
To comply with the ArcSight CEF standard, Trend Micro recommends separating key-value pairs by a space.
The following table outlines the syslog content mapping between variables and Trend Micro Web Security log output (value).
|
Variable |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF: 0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product name |
Trend Micro Web Security |
|
Header (pver) |
Appliance version |
Example: 3.0.0.2042 |
|
Header (eventid) |
Signature ID |
Example: 100000 |
|
Header (eventName) |
Description |
Access Log |
|
Header (severity) |
Risk level |
|
|
rt |
UTC timestamp |
Example: Jul 05 2018 07:54:15 +0000 |
|
logType |
Log type |
1: Access Log |
|
companyID |
Company ID |
Example: 7800fcab-7611-416c-9ab4-721b7bd6b076 |
|
adDomain |
AD domain |
Example: trendmicro.com.cn |
|
userName |
User name or client IP |
Example: 10.204.214.188 |
|
groupName |
Group name |
Example: testgroup1 |
|
userDepartment |
User department |
Example: finance department |
|
gatewayName |
Gateway name |
Example: on-premise-2051 |
|
app |
Protocol used |
|
|
transportBytes |
Body size of a request or response |
Example: 221030 |
|
dst |
Destination IP address of a request |
Example: 54.231.184.240 |
|
src |
Source IP address of a request |
Example: 10.204.214.188 |
|
upStreamSize |
Upstream payload from Trend Micro Web Security to server, unit bytes |
Example: 501 |
|
downStreamSize |
Downstream payload from server to Trend Micro Web Security, unit bytes |
Example: 220529 |
|
domainName |
URL domain |
Example: clients4.google.com |
|
scanType |
Scan type |
|
|
policyName |
Policy name |
Example: default |
|
profileName |
Profile name |
Example: default |
|
severity |
WRS score threshold |
|
|
principalName |
Principal name |
Example: testuser@trendmicro.com.cn |
|
cat |
URL category |
Example: Search Engines/Portals |
|
appName |
Application name |
Example: Google |
|
wrsScore |
WRS score |
Example: 81 |
|
malwareType |
Malware type |
|
|
malwareName |
Malware name |
Example: HEUR_OLEXP.B |
|
fname |
File name |
Example: sample_nice_dda_heurb_1177077.ppt-1 |
|
filehash |
SHA-1 |
Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504 |
|
act |
Action |
|
|
httpTrans |
HTTP transaction |
JSON format. Example:{"http_req":{ "method":"GET","scheme":"http","path":"index.html","host":www.sina.com.cn,"headers":{"header_1":"value_1", ...}},"http_response":{"status_code":"200","headers":{...}}} |
|
method |
HTTP method |
Example: GET, PUT, POST |
|
version |
HTTP version |
Example: 1.1 |
|
path |
HTTP request path |
Example: example.html |
|
host |
HTTP request host |
Example: client2.example.com |
|
status_code |
HTTP response status code |
Example: 200, 404, 503 |
|
scheme |
HTTP or HTTPS protocol |
Example: HTTP, HTTPS |
|
url |
Combination of scheme, host, and path |
Example: https://client2.example.com/example.html |
|
<http-request-header-name>_q |
HTTP request header field |
Example: User-Agent: Mozilla/5.0 Note:
The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security. The value of the cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log. |
|
<http-response-header-name>_s |
HTTP response header field |
Example: Content-Length: 348 Note:
The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security. The value of the set-cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log. |
Access log output sample 1:
Oct 25 08:13:13 10.206.197.112 CEF: 0|Trend Micro|Trend Micro Web Security|3.1.0.2485|100000|Access Log|1| act=allow app=2 cat=Proxy cn1=0 cn1Label=malwareType cn2=0 cn2Label=scanType cs1=200 cs1Label=ResponseCode cs2=default cs2Label=policyName cs3= cs3=encoding cs4= cs4Label=URL Path cs5=https cs5Label=method desinationDnsDomain=login.live.com dhost=login.live.com dvchost=roaming user end=1571990687 fileHash= fname= in=291 out=122 proto=tcp RequestURL=https://login.live.com:443/ requestClientApplication=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 requestMethod=https shost=10.206.197.110 src=10.206.197.110
Access log output sample 2:
Oct 25 08:18:15 10.206.197.112 CEF: 0|Trend Micro|Trend Micro Web Security|3.1.0.2485|100000|Access Log|1| act=allow app=1 cat=Proxy cn1=0 cn1Label=malwareType cn2=0 cn2Label=scanType cs1=502 cs1Label=ResponseCode cs2=default cs2Label=policyName cs3=gzip, deflate cs3=encoding cs4=job/4v20-e2e-ops-an/ cs4Label=URL Path cs5=http cs5Label=method desinationDnsDomain=10.202.240.69 dhost=10.202.240.69 dvchost=roaming user end=1571990784 fileHash=8aaceef018f9e7cde0b381a9d1237b29e113c1c2 fname= in=538 out=510 proto=tcp RequestURL=http://10.202.240.69:8080/job/4v20-e2e-ops-an/ requestClientApplication=Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/76.0.3809.132 Safari/537.36 requestMethod=http shost=10.206.197.110 src=10.206.197.110
|
CEF Key |
Description |
Value |
|---|---|---|
|
Header (logVer) |
CEF format version |
CEF: 0 |
|
Header (vendor) |
Appliance vendor |
Trend Micro |
|
Header (pname) |
Appliance product name |
Trend Micro Web Security |
|
Header (pver) |
Appliance version |
Example: 3.4.1.5449 |
|
Header (eventid) |
Signature ID |
Example: 100001 |
|
Header (eventName) |
Description |
Audit Log |
|
Header (severity) |
Risk level |
0 |
|
rt |
UTC timestamp |
Example: Nov 04 2020 02:15:06 +0000 |
|
userName |
Email address |
Example: user@example.com |
|
companyID |
Company ID |
Example: 7800fcab-7611-416c-9ab4-721b7bd6b076 |
|
logType |
Log type |
3: Audit Log |
|
act |
Administrative operation |
Example: Administrator Log On |
|
httpTrans |
Detailed operation information |
See the output samples below |
The other CEF keys not listed in the table are not available for audit logs. Therefore, they will be set to null if configured in CEF keys.
Audit log output sample 1:
Nov 2 09:57:55 ad173.onmicrosoft.com CEF: 0|Trend Micro|Trend Micro Web Security|
3.4.1.5440|100001|Audit Log|0|rt=Nov 02 2020 09:49:58 +0000 src= dest= site= score= category=
app= url= http_user_agent= status= bytes_out= bytes_in= user=admin@trendmicro.com.cn
companyid=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 action=Save Cloud Syslog Forwarding Setting
content={"ip": "10.206.197.117", "contentFormat": "rt=%{rt} src=%{src} dest=%{dst} site=%{domainName}
score=%{wrsScore} category=%{cat} app=%{appName} url=%{url} http_user_agent=%{user-agent_q}
status=%{status_code} bytes_out=%{downStreamSize} bytes_in=%{upStreamSize} user=%{userName}
companyid=%{companyID} action=%{act} content=%{httpTrans}", "enable": 1, "port": 8514}
Audit log output sample 2:
Nov 2 09:57:55 ad173.onmicrosoft.com CEF: 0|Trend Micro|Trend Micro Web Security| 3.4.1.5440|100001|Audit Log|0|rt=Nov 02 2020 09:50:13 +0000 src= dest= site= score= category= app= url= http_user_agent= status= bytes_out= bytes_in= user=admin@trendmicro.com.cn companyid=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 action=Delete Hosted User content="data=H:user-160144443485@trendmicro.com.cn"
