Trend Micro Cloud One - Workload Security (formerly Deep Security Software) is a hybrid cloud runtime security solution.

You can review the Trend Micro resources in your security account, including pre-configured security rules and dashboards to get you started.

Before you begin, you’ll need:

Install the Trend Micro certificate on your Filebeat server

Trend Micro sends encrypted data, so you’ll need to install the Trend Micro certificate on your Filebeat server.

sudo mkdir /etc/filebeat/certificates
sudo openssl req -newkey rsa:2048 -nodes \
-keyout /etc/filebeat/certificates/Trendmicro.key -x509 \
-days 365 \
-out /etc/filebeat/certificates/Trendmicro.crt
Download the Logz.io public certificate to your credentials server

For HTTPS shipping, download the Logz.io public certificate to your certificate authority folder.

sudo curl https://raw.githubusercontent.com/logzio/public-certificates/master/AAACertificateServices.crt --create-dirs -o /etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt
Configure Filebeat

Open the Filebeat configuration file (/etc/filebeat/filebeat.yml) with your preferred text editor.

Filebeat requires a file extension specified for the log input.

Copy and paste the code block below, overwriting the previous , to replace the general configuration with the following settings:

# ...
filebeat.inputs:
- type: tcp
  max_message_size: 10MiB
  host: "0.0.0.0:6514"
  ssl.enabled: true
  ssl.certificate: "/etc/filebeat/certificates/Trendmicro.crt"
  ssl.key: "/etc/filebeat/certificates/Trendmicro.key"
  ssl.verification_mode: none
  fields:
    logzio_codec: json
    token: <<LOG-SHIPPING-TOKEN>>
    type: trendmicro_deep
  fields_under_root: true
filebeat.registry.path: /var/lib/filebeat
#The following processors are to ensure compatibility with version 7
processors:
- rename:
    fields:
     - from: "agent"
       to: "beat_agent"
    ignore_missing: true
- rename:
    fields:
     - from: "log.file.path"
       to: "source"
    ignore_missing: true

Replace <<LOG-SHIPPING-TOKEN>> with the token of the account you want to ship to.

Set Logz.io as the output

Still in the same configuration file, check if Logz.io is already an output. If not, add it now.

# ...
output.logstash:
  hosts: ["<<LISTENER-HOST>>:5015"]
  ssl:
    certificate_authorities: ['/etc/pki/tls/certs/COMODORSADomainValidationSecureServerCA.crt']

Replace <<LISTENER-HOST>> with the host for your region. For example, listener.logz.io if your account is hosted on AWS US East, or listener-nl.logz.io if hosted on Azure West Europe. The required port depends whether HTTP or HTTPS is used: HTTP = 8070, HTTPS = 8071.

One last validation - make sure Logz.io is the only output and appears only once. If the file has other outputs, remove them.

Start Filebeat

Start or restart Filebeat for the changes to take effect.

Configure Trend Micro agents to forward logs to Filebeat

The process for configuring Trend Micro to send logs to your Syslog server involves several steps. All of them are performed in the Trend Micro Cloud One console. You can also reference the official documentation published by Trend Micro.

First, log into your Trend Micro Cloud One console.

  1. Select Policies from the top menu.
  2. Select Other > Syslog Configurations in the left menu.
  3. Select New → New Configuration.
  4. Fill in the new configuration form:
    1. Name - Provide a name for the new Syslog configuration. For example: Logz.io.
    2. Server Name and Server Port - Provide the IP address and port 6514.
    3. Event Format - Select Log Event Extended Format 2.0.
    4. Check the box to Include time zone in events.
    5. Transport - Select TLS.
    6. Save your changes.

    Trend Micro Cloud One screen

  5. Open the Credentials tab, and fill in the details:

    1. Private key - Provide the Trendmicro.key you created in step 1. You can run the following command to look up the key:

       sudo nano /etc/filebeat/certificates/Trendmicro.key
      
    2. Certificate - Provide the Trendmicro.crt you created in step 1. You can run the following command to look up the key:

       sudo nano /etc/filebeat/certificates/Trendmicro.crt
      
    3. Click Test connection to test your settings.
    4. Save your changes.

    Trend Micro Deep Security Cloud One screen

Activate syslog forwarding

Configure Trend Micro agents to forward event logs to Logz.io.

  1. Open the Policies tab, and select the relevant policy.
  2. In the policy form, select Setting in the left menu.
  3. Select the tab Event forwarding in the top menu.
  4. Select the relevant syslog policies you created in the previous steps.

Trend Micro Deep Security Cloud One screen

Sample configuration

You can reference the sample configuration used by the Logz.io Security Team in development of this integration. Exported configuration in XML format.

The configuration file includes settings for the following services:

  • Anti-malware
  • Integrity monitoring
  • Log inspection
  • Firewall
  • Intrusion prevention
Check Logz.io for your logs

Give your logs some time to get from your system to ours, and then open Open Search Dashboards.

If you still don’t see your logs, see Filebeat troubleshooting.