Syslog Integration (SIEM)

Vulnerability ProtectionDeep Security can forward events to a syslog server, using these formats:

Common Event Format 1.0: A format sponsored by ArcSight (www.arcsight.com)
Log Event Extended Format (LEEF) 2.0: A format used for integration with IBM QRadar
Basic Syslog format: Some modules support a Basic Syslog format; however, these formats are made available for legacy installations and should not be used for new Syslog integration projects.

Syslog messages will only be sent for the events selected on the System Events tab. Other event types can be configured for syslog notification from the policy editor or computer editor.

Enabling Syslog forwarding in the Vulnerability ProtectionDeep Security Manager does not affect default Event logging. That is, enabling syslog will not disable the normal Event recording mechanisms.

Setting up a Syslog on Red Hat Enterprise Linux 6 or 7

The following steps describe how to configure rsyslog on Red Hat Enterprise Linux 6 or 7 to receive logs from Vulnerability ProtectionDeep Security.

Log in as root
Execute:
vi /etc/rsyslog.conf
Uncomment the following lines near the top of the rsyslog.conf to change them from:

#$ModLoad imudp #$UDPServerRun 514 #$ModLoad imtcp #$InputTCPServerRun 514 to

$ModLoad imudp $UDPServerRun 514 $ModLoad imtcp $InputTCPServerRun 514
Add the following two lines of text to the end of the rsyslog.conf:
- #Save Vulnerability ProtectionDeep Security Manager logs to VPM.logDSM.log
- Local4.* /var/log/VPM.logDSM.log
Save the file and exit
Create the /var/log/VPM.logDSM.log file by typing touch /var/log/VPM.logDSM.log
Set the permissions on the VPMDSM log so that syslog can write to it
Save the file and exit
Restart syslog:
- On Red Hat Enterprise Linux 6: service rsyslog restart
- On Red Hat Enterprise Linux 7: systemctl restart rsyslog

When Syslog is functioning you will see logs populated in: /var/log/VPM.logDSM.log

Setting up a Syslog on Red Hat Enterprise Linux 5

The following steps describe how to configure Syslog on Red Hat Enterprise Linux to receive logs from Vulnerability ProtectionDeep Security.

Log in as root
Execute:
vi /etc/syslog.conf
Add the following two lines of text to the end of the syslog.conf :
- #Save Vulnerability ProtectionDeep Security Manager logs to VPM.logDSM.log
- Local4.* /var/log/VPM.logDSM.log
Save the file and exit
Create the /var/log/VPM.logDSM.log file by typing touch /var/log/VPM.logDSM.log
Set the permissions on the VPMDSM log so that syslog can write to it
Execute:
vi /etc/sysconfig/syslog
Modify the line " SYSLOGD_OPTIONS " and add a " -r " to the options
Save the file and exit
Restart syslog: /etc/init.d/syslog restart

When Syslog is functioning you will see logs populated in: /var/log/VPM.logDSM.log

Manager Settings

You can configure Vulnerability ProtectionDeep Security Manager to instruct all managed computers to send logs to the Syslog computer, or you can configure individual computers independently.

To configure the Manager to instruct all managed computers to use Syslog:

Go to the Administration > System Settings > SIEM tab.
In the System Event Notification (from the Manager) area, set the Forward System Events to a remote computer (via Syslog) option.
Type the hostname or the IP address of the Syslog computer.
Enter which UDP port to use (usually 514).
Select which Syslog Facility to use (Local4 from the Red Hat example above.)
Select which Syslog Format to use.

Common Event Format 1.0 is a format sponsored by ArcSight (www.arcsight.com). The specification can be requested through their Web site.

You have now configured the Vulnerability ProtectionDeep Security Manager to instruct all existing and new computers to use remote Syslog by default.

There are two options for where the syslog messages are sent from. The first option (Direct Forward) sends the messages in real time directly from the Agents or Virtual Appliances. The second option (Relay via the Manager) sends the syslog messages from the Manager after events are collected on heartbeats. The option to send from the Manager may be desirable if the destination licenses based on the number of sources.

If the syslog messages are sent from the Manager, there are several differences. In order to preserve the original hostname (the source of the event), a new extension ("dvc" or "dvchost") is present. "dvc" is used if the hostname is an IPv4 address; "dvchost" is used for hostnames and IPv6 addresses. Additionally, the extension "TrendMicroDsTags" is used if the events are tagged (This applies only to auto-tagging with run on future, since events are forwarded via syslog only as they are collected by the Manager). The product for logs relayed through the Manager will still read "Vulnerability ProtectionDeep Security Agent"; however, the product version is the version of the Manager.

All CEF events include dvc=IPv4 Address or dvchost=Hostname (or the IPv6 address) for the purposes of determining the original source of the event. This extension is important for events sent from a Virtual Appliance or the Manager, since in this case the syslog sender of the message is not the originator of the event.

This default setting can be overridden for specific Policies and on individual computers. To override on a computer, find the computer you want to configure, open the Computer Editor and go to Settings and click the SIEM tab. Like many other settings on a computer, you can instruct it to inherit default settings, or override them. To instruct this computer to ignore any inheritable default settings, select the Forward Events To option and enter the details for a different syslog server, or to not forward logs at all. Follow the same procedure to override the setting on a Policy.

If you select the Direct Forward option on the SIEM tab for a computer, you cannot select Log Event Extended Format 2.0 as the Syslog Format. Vulnerability ProtectionDeep Security will only send events in LEEF format via the Manager.

Parsing Syslog Messages (CEF)

To determine whether the log entry comes from the Vulnerability ProtectionDeep Security Manager or a Vulnerability ProtectionDeep Security Agent, look at the "Device Product" field:

Events that occur on a VM being protected by a Virtual Appliance but without an in-guest Agent will still be identified as coming from an Agent.

To further determine what kind of rule triggered the event, look at the "Signature ID" and "Name" fields:

The following "Signature ID" values indicate what kind of event has been triggered:

Signature IDs	Description
10	Custom Intrusion Prevention Rule
20	Log-Only Firewall Rule
21	Deny Firewall Rule
30	Custom Integrity Monitoring Rule
40	Custom Log Inspection Rule
100-7499	System Events
100-199	Out of "Allowed" Policy Firewall Rule and Firewall Stateful Configuration
200-299	Intrusion Prevention System (IPS) Internal Errors
300-399	SSL Events
500-899	Intrusion Prevention Normalization
1,000,000-1,999,999	Trend Micro Intrusion Prevention Rule. The Signature ID is the same as the Intrusion Prevention Rule ID.
2,000,000-2,999,999	Trend Micro Integrity Monitoring Rule. The Signature ID is the Integrity Monitoring Rule ID + 1,000,000.
3,000,000-3,999,999	Trend Micro Log Inspection Rule. The Signature ID is the Log Inspection Rule ID + 2,000,000.
4,000,000-4,999,999	Reserved for Trend Micro Anti-Malware Events. Curently, only these Signature IDs are used: 4,000,000 4,000,001 4,000,002 4,000,003 4,000,010 4,000,011 4,000,012 4,000,013
5,000,000-5,999,999	Reserved for Trend Micro Web Reputation Events. Currently, only these Signature IDs are used: 5,000,000 5,000,001

All the CEF extensions described in the event log format tables below will not necessarily be included in each log entry. As well, they may not be in the order described below. If you are using regular expressions (regex) to parse the entries, make sure your expressions do not depend on each key/value pair to be there or for the key/value pairs to be in a particular order.

Syslog messages are limited to 64K bytes by the syslog protocol specification. In rare cases data may be truncated. The Basic Syslog format is limited to 1K bytes.

Parsing Syslog Messages (LEEF 2.0)

Sample LEEF 2.0 Log Entry (DSM System Event Log Sample): LEEF:2.0|Trend Micro|Deep Security Manager|9.6.2007|192|cat=System name=Alert Ended desc=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning sev=3 src=10.201.114.164 usrName=System msg=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning TrendMicroDsTenant=Primary

Events Originating in the Manager

System Event Log Format

Sample LEEF 2.0 Log Entry: LEEF:2.0|Trend Micro|Deep Security Manager|9.6.2007|192|cat=System name=Alert Ended desc=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning sev=3 src=10.201.114.164 usrName=System msg=Alert: CPU Warning Threshold Exceeded\nSubject: 10.201.114.164\nSeverity: Warning TrendMicroDsTenant=Primary

LEEF format uses a reserved "sev" key to show severity and "name" for the Name value.

CEF Extension Field	LEEF Extension Field	Name	Description	Examples
src	src	Source IP Address	Source Vulnerability ProtectionDeep Security Manager IP Address.	src=10.52.116.23
suser	usrName	Source User	Source Vulnerability ProtectionDeep Security Manager user account.	suser=MasterAdmin
target	target	Target Entity	The event target entity. The target of the event maybe the administrator account logged into Vulnerability ProtectionDeep Security Manager, or a Computer.	target=MasterAdmin target=server01
targetID	targetID	Target Entity ID	The event target entity ID.	targetID=1
targetType	targetType	Target Entity Type	The event target entity type.	targetType=Host
msg	msg	Details	Details of the System event. May contain a verbose description of the event.	msg=User password incorrect for username MasterAdmin on an attempt to sign in from 127.0.0.1 msg=A Scan for Recommendations on computer (localhost) has completed...
TrendMicroDsTags	TrendMicroDsTags	Event Tags	Deep Security event tags assigned to the event	TrendMicroDsTags=suspicious
TrendMicroDsTenant	TrendMicroDsTenant	Tenant Name	Deep Security tenant	TrendMicroDsTenant=Primary
TrendMicroDsTenantId	TrendMicroDsTenantId	Tenant ID	Deep Security tenant ID	TrendMicroDsTenantId=0
None	sev	Severity	The severity of the event. 1 is the lowest severity and 10 is the highest.	sev=3
None	cat	Category	Event category	cat=System
None	name	Name	Event name	name=Alert Ended
None	desc	Description	Event description	desc:Alert: CPU Warning Threshold Exceeded

Events Originating in the Agent

Firewall Event Log Format

Sample CEF Log Entry: CEF:0|Trend Micro|Vulnerability ProtectionDeep Security Agent|<DSA version>2.0|20|Log for TCP Port 80|0|cn1=1 cn1Label=Host ID dvc=hostname act=Log dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.147 out=1019 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49617 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 TrendMicroDsPacketData=AFB...

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Manager|9.6.2007|21|cat=Firewall name=Remote Domain Enforcement (Split Tunnel) desc=Remote Domain Enforcement (Split Tunnel) sev=5 cn1=37 cn1Label=Host ID dvchost=laptop_adaggs TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 act=Deny dstMAC=67:BF:1B:2F:13:EE srcMAC=78:FD:E7:07:9F:2C TrendMicroDsFrameType=IP src=10.0.110.221 dst=105.152.185.81 out=177 cs3= cs3Label=Fragmentation Bits proto=UDP srcPort=23 dstPort=445 cnt=1

CEF Extension Field	LEEF Extension Field	Name	Description	Examples
act	act	Action	The action taken by the Firewall rule. Can contain: Log or Deny. If the rule or the network engine is operating in tap mode, the action value will be proceeded by "IDS:".	act=Log act=Deny
cn1	cn1	Host Identifier	The Agent Computer internal identifier which can be used to uniquely identify the Agent Computer from a given syslog event.	cn1=113
cn1Label	cn1Label	Host ID	The friendly name label for the field cn1.	cn1Label=Host ID
cnt	cnt	Repeat Count	The number of times this event was sequentially repeated.	cnt=8
cs2	cs2	TCP Flags	(For the TCP protocol only) The raw TCP flag byte followed by the URG, ACK, PSH, RST, SYN and FIN fields may be present if the TCP header was set. If "Relay via Manager" is selected, the output of this extension contains only the flag names.	cs2=0x10 ACK cs2=0x14 ACK RST
cs2Label	cs2Label	TCP Flags	The friendly name label for the field cs2.	cs2Label=TCP Flags
cs3	cs3	Packet Fragmentation Information	The "DF" field will be present if the IP "Don't Fragment" bit is set. The "MF" field will be present if the "IP More Fragments" bit is set.	cs3=DF cs3=MF cs3=DF MF
cs3Label	cs3Label	Fragmentation Bits	The friendly name label for the field cs3.	cs3Label=Fragmentation Bits
cs4	cs4	ICMP Type and Code	(For the ICMP protocol only) The ICMP type and code stored in their respective order delimited by a space.	cs4=11 0 cs4=8 0
cs4Label	cs4Label	ICMP	The friendly name label for the field cs4.	cs4Label=ICMP Type and Code
dmac	dstMAC	Destination MAC Address	Destination computer network interface MAC address.	dmac= 00:0C:29:2F:09:B3
dpt	dstPort	Destination Port	(For TCP and UDP protocol only) Destination computer connection port.	dpt=80 dpt=135
dst	dst	Destination IP Address	Destination computer IP Address.	dst=192.168.1.102 dst=10.30.128.2
in	in	Inbound Bytes Read	(For inbound connections only) Number of inbound bytes read.	in=137 in=21
out	out	Outbound Bytes Read	(For outbound connections only) Number of outbound bytes read.	out=216 out=13
proto	proto	Transport protocol	Name of the connection transportation protocol used.	proto=tcp proto=udp proto=icmp
smac	srcMAC	Source MAC Address	Source computer network interface MAC address.	smac= 00:0E:04:2C:02:B3
spt	srcPort	Source Port	(For TCP and UDP protocol only) Source computer connection port.	spt=1032 spt=443
src	src	Source IP Address	Source computer IP Address.	src=192.168.1.105 src=10.10.251.231
TrendMicroDsFrameType	TrendMicroDsFrameType	Ethernet frame type	Connection Ethernet frame type.	TrendMicroDsFrameType=IP TrendMicroDsFrameType=ARP TrendMicroDsFrameType=RevARP TrendMicroDsFrameType=NetBEUI
TrendMicroDsPacketData	TrendMicroDsPacketData	Packet data	(If include packet data is set) A Base64 encoded copy of the packet data. The "equals" character is escaped. E.g. "\=" This extension is not included when the "Relay via the Manager" option is selected.	TrendMicroDsPacketData=AA...BA\=
dvc	dvc	Device address	The IP address for cn1. If the address is IPv4, use dvc. If the address is IPv6 or a hostname, use dvchost instead.	dvc=10.1.144.199
dvchost	dvchost	Device host name	The IP address for cn1. If the address is IPv6 or a hostname, use dvchost. If the address is IPv4, use dvc instead.	dvchost=laptop_adaggs
TrendMicroDsTags	TrendMicroDsTags	Event Tags	Deep Security event tags assigned to the event	TrendMicroDsTags=suspicious
TrendMicroDsTenant	TrendMicroDsTenant	Tenant Name	Deep Security tenant	TrendMicroDsTenant=Primary
TrendMicroDsTenantId	TrendMicroDsTenantId	Tenant ID	Deep Security tenant ID	TrendMicroDsTenantId=0
None	sev	Severity	The severity of the event. 1 is the lowest severity and 10 is the highest.	sev=5
None	cat	Category	Category, for example, "Firewall"	cat=Firewall
None	name	Name	Event name	name=Remote Domain Enforcement (Split Tunnel)
None	desc	Description	Event description. Firewall event does not have an event description, so use the event name.	desc=Remote Domain Enforcement (Split Tunnel)

Intrusion Prevention Event Log Format

Sample CEF Log Entry: CEF:0|Trend Micro|Vulnerability ProtectionDeep Security Agent|<DSA version>2.0|1001111|Test Intrusion Prevention Rule|3|cn1=1 cn1Label=Host ID dvchost=hostname dmac=00:50:56:F5:7F:47 smac=00:0C:29:EB:35:DE TrendMicroDsFrameType=IP src=192.168.126.150 dst=72.14.204.105 out=1093 cs3=DF MF cs3Label=Fragmentation Bits proto=TCP spt=49786 dpt=80 cs2=0x00 ACK PSH cs2Label=TCP Flags cnt=1 act=IDS:Reset cn3=10 cn3Label=Intrusion Prevention Packet Position cs5=10 cs5Label=Intrusion Prevention Stream Position cs6=8 cs6Label=Intrusion Prevention Flags TrendMicroDsPacketData=R0VUIC9zP3...

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Manager|9.6.2007|1000940|cat=Intrusion Prevention name=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities desc=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities sev=10 cn1=6 cn1Label=Host ID dvchost=exch01 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 dstMAC=55:C0:A8:55:FF:41 srcMAC=CA:36:42:B1:78:3D TrendMicroDsFrameType=IP src=10.0.251.84 dst=56.19.41.128 out=166 cs3= cs3Label=Fragmentation Bits proto=ICMP srcPort=0 dstPort=0 cnt=1 act=IDS:Reset cn3=0 cn3Label=DPI Packet Position cs5=0 cs5Label=DPI Stream Position cs6=0 cs6Label=DPI Flags

CEF Extension Field	LEEF Extension Field	Name	Description	Examples
act	act	Action	The action taken by the Intrusion Prevention rule. Can contain: Block, Reset, or Log. If the rule or the network engine is operating in detect-only mode, the action value will be preceded by "IDS:". (IPS Rules written before Deep Security version 7.5 SP1 could additionally perform Insert, Replace, and Delete actions. These actions are no longer performed. If an older IPS Rule is triggered which still attempts to perform those actions, the Event will indicate that the Rule was applied in detect-only mode.)	act=Block
cn1	cn1	Host Identifier	The Agent Computer internal identifier which can be used to uniquely identify the Agent Computer from a given syslog event.	cn1=113
cn1Label	cn1Label	Host ID	The friendly name label for the field cn1.	cn1Label=Host ID
cn3	cn3	Intrusion Prevention Packet Position	Position within packet of data that triggered the event.	cn3=37
cn3Label	cn3Label	Intrusion Prevention Packet Position	The friendly name label for the field cn3.	cn3Label=Intrusion Prevention Packet Position
cnt	cnt	Repeat Count	The number of times this event was sequentially repeated.	cnt=8
cs1	cs1	Intrusion Prevention Filter Note	(Optional) A note field which can contain a short binary or text note associated with the payload file. If the value of the note field is all printable ASCII characters, it will be logged as text with spaces converted to underscores. If it contains binary data, it will be logged using Base-64 encoding.	cs1=Drop_data
cs1Label	cs1Label	Intrusion Prevention Note	The friendly name label for the field cs1.	cs1Label=Intrusion Prevention Note
cs2	cs2	TCP Flags	(For the TCP protocol only) The raw TCP flag byte followed by the URG, ACK, PSH, RST, SYN and FIN fields may be present if the TCP header was set.	cs2=0x10 ACK cs2=0x14 ACK RST
cs2Label	cs2Label	TCP Flags	The friendly name label for the field cs2.	cs2Label=TCP Flags
cs3	cs3	Packet Fragmentation Information	The "DF" field will be present if the IP "Don't Fragment" bit is set. The "MF" field will be present if the "IP Mote Fragments" bit is set.	cs3=DF cs3=MF cs3=DF MF
cs3Label	cs3Label	Fragmentation Bits	The friendly name label for the field cs3.	cs3Label=Fragmentation Bits
cs4	cs4	ICMP Type and Code	(For the ICMP protocol only) The ICMP type and code stored in their respective order delimited by a space.	cs4=11 0 cs4=8 0
cs4Label	cs4Label	ICMP	The friendly name label for the field cs4.	cs4Label=ICMP Type and Code
cs5	cs5	Intrusion Prevention Stream Position	Position within stream of data that triggered the event.	cs5=128 cs5=20
cs5Label	cs5Label	Intrusion Prevention Stream Position	The friendly name label for the field cs5.	cs5Label=Intrusion Prevention Stream Position
cs6	cs6	Intrusion Prevention Filter Flags	A combined value that includes the sum of the following flag values: 1 - Data truncated - Data could not be logged. 2 - Log Overflow - Log overflowed after this log. 4 - Suppressed - Logs threshold suppressed after this log. 8 - Have Data - Contains packet data 16 - Reference Data - References previously logged data.	The following example would be a summed combination of 1 (Data truncated) and 8 (Have Data): cs6=9
cs6Label	cs6Label	Intrusion Prevention Flags	The friendly name label for the field cs6.	cs6=Intrusion Prevention Filter Flags
dmac	dstMAC	Destination MAC Address	Destination computer network interface MAC address.	dmac= 00:0C:29:2F:09:B3
dpt	dstPort	Destination Port	(For TCP and UDP protocol only) Destination computer connection port.	dpt=80 dpt=135
dst	dst	Destination IP Address	Destination computer IP Address.	dst=192.168.1.102 dst=10.30.128.2
in	in	Inbound Bytes Read	(For inbound connections only) Number of inbound bytes read.	in=137 in=21
out	out	Outbound Bytes Read	(For outbound connections only) Number of outbound bytes read.	out=216 out=13
proto	proto	Transport protocol	Name of the connection transportation protocol used.	proto=tcp proto=udp proto=icmp
smac	srcMAC	Source MAC Address	Source computer network interface MAC address.	smac= 00:0E:04:2C:02:B3
spt	srcPort	Source Port	(For TCP and UDP protocol only) Source computer connection port.	spt=1032 spt=443
src	src	Source IP Address	Source computer IP Address.	src=192.168.1.105 src=10.10.251.231
TrendMicroDsFrameType	TrendMicroDsFrameType	Ethernet frame type	Connection Ethernet frame type.	TrendMicroDsFrameType=IP TrendMicroDsFrameType=ARP TrendMicroDsFrameType=RevARP TrendMicroDsFrameType=NetBEUI
TrendMicroDsPacketData	TrendMicroDsPacketData	Packet data	(If include packet data is set) A Base64 encoded copy of the packet data. The "equals" character is escaped. E.g. "\=" This extension is not included when the "Relay via the Manager" option is selected.	TrendMicroDsPacketData=AA...BA\=
dvc	dvc	Device address	The IP address for cn1. If the address is IPv4, use dvc. If the address is IPv6 or a hostname, use dvchost instead.	dvc=10.1.144.199
dvchost	dvchost	Device host name	The IP address for cn1. If the address is IPv6 or a hostname, use dvchost. If the address is IPv4, use dvc instead.	dvchost=exch01
TrendMicroDsTags	TrendMicroDsTags	Event tags	Deep Security event tags assigned to the event	TrendMicroDsTags=Suspicious
TrendMicroDsTenant	TrendMicroDsTenant	Tenant name	Deep Security tenant name	TrendMicroDsTenant=Primary
TrendMicroDsTenantId	TrendMicroDsTenantId	Tenant ID	Deep Security tenant ID	TrendMicroDsTenantId=0
None	sev	Severity	The severity of the event. 1 is the lowest severity and 10 is the highest.	sev=10
None	cat	Category	Category, for example, "Intrusion Prevention"	cat=Intrusion Prevention
None	name	Name	Event name	name=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities
None	desc	Description	Event description. Intrusion Prevention event does not have an event description, so use the event name.	desc=Sun Java RunTime Environment Multiple Buffer Overflow Vulnerabilities

Log Inspection Event Format

Sample CEF Log Entry: CEF:0|Trend Micro|Vulnerability ProtectionDeep Security Agent|<DSA version>|3002795|Microsoft Windows Events|8|cn1=1 cn1Label=Host ID dvchost=hostname cs1Label=LI Description cs1=Multiple Windows Logon Failures fname=Security src=127.0.0.1 duser=(no user) shost=WIN-RM6HM42G65V msg=WinEvtLog Security: AUDIT_FAILURE(4625): Microsoft-Windows-Security-Auditing: (no user): no domain: WIN-RM6HM42G65V: An account failed to log on. Subject: ..

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Manager|9.6.2007|3003486|cat=Log Inspection name=Mail Server - MDaemon desc=Server Shutdown. sev=3 cn1=37 cn1Label=Host ID dvchost=laptop_adaggs TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 cs1=Server Shutdown. cs1Label=LI Description fname= shost= msg=

CEF Extension Field	LEEF Extension Field	Name	Description	Examples
cn1	cn1	Host Identifier	The Agent Computer internal identifier which can be used to uniquely identify the Agent Computer from a given syslog event.	cn1=113
cn1Label	cn1Label	Host ID	The friendly name label for the field cn1.	cn1Label=Host ID
cs1	cs1	Specific Sub-Rule	The Log Inspection sub-rule which triggered this event.	cs1=Multiple Windows audit failure events
cs1Label	cs1Label	LI Description	The friendly name label for the field cs1.	cs1Label=LI Description
duser	duser	User Information	(If parse-able username exists) The name of the target user initiated the log entry.	duser=(no user) duser=NETWORK SERVICE
fname	fname	Target entity	The Log Inspection rule target entity. May contain a file or directory path, registry key, etc.	fname=Application fname=C:\Program Files\CMS\logs\server0.log
msg	msg	Details	Details of the Log Inspection event. May contain a verbose description of the detected log event.	msg=WinEvtLog: Application: AUDIT_FAILURE(20187): pgEvent: (no user): no domain: SERVER01: Remote login failure for user 'xyz'
shost	shost	Source Hostname	Source computer Hostname	shost=webserver01.corp.com
src	src	Source IP Address	Source computer IP Address.	src=192.168.1.105 src=10.10.251.231
dvc	dvc	Device address	The IP address for cn1. If the address is IPv4, use dvc. If the address is IPv6 or a hostname, use dvchost instead.	dvc=10.1.144.199
dvchost	dvchost	Device host name	The IP address for cn1. If the address is IPv6 or a hostname, use dvchost. If the address is IPv4, use dvc instead.	dvchost=laptop_adaggs
TrendMicroDsTags	TrendMicroDsTags	Events tags	Deep Security event tags assigned to the event	TrendMicroDsTags=suspicious
TrendMicroDsTenant	TrendMicroDsTenant	Tenant name	Deep Security tenant	TrendMicroDsTenant=Primary
TrendMicroDsTenantId	TrendMicroDsTenantId	Tenant ID	Deep Security tenant ID	TrendMicroDsTenantId=0
None	sev	Severity	The severity of the event. 1 is the lowest severity and 10 is the highest.	sev=3
None	cat	Category	Category, for example, "Log Inspection"	cat=Log Inspection
None	name	Name	Event name	name=Mail Server - MDaemon
None	desc	Description	Event description.	desc=Server Shutdown

Integrity Monitoring Log Event Format

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Manager|9.6.2007|2002779|cat=Integrity Monitor name=Microsoft Windows - System file modified desc=Microsoft Windows - System file modified sev=8 cn1=37 cn1Label=Host ID dvchost=laptop_adaggs TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 act=updated

CEF Extension Field	LEEF Extension Field	Name	Description	Examples
act	act	Action	The action detected by the integrity rule. Can contain: created, updated, detected or renamed.	act=created act=deleted
cn1	cn1	Host Identifier	The Agent Computer internal identifier which can be used to uniquely identify the Agent Computer from a given syslog event.	cn1=113
cn1Label	cn1Label	Host ID	The friendly name label for the field cn1.	cn1Label=Host ID
filePath	filePath	Target Entity	The integrity rule target entity. May contain a file or directory path, registry key, etc.	filePath=C:\WINDOWS\system32\drivers\etc\hosts
msg	msg	Attribute changes	(For "updated" action only) A list of changed attribute names. If "Relay via Manager" is selected, all event action types include a full description.	msg=lastModified,sha1,size
oldfilePath	oldfilePath	Old target entity	(For "renamed" action only) The previous integrity rule target entity to capture the rename action from the previous target entity to the new, which is recorded in the filePath field.	oldFilePath=C:\WINDOWS\system32\logfiles\ds_agent.log
dvc	dvc	Device address	The IP address for cn1. If the address is IPv4, use dvc. If the address is IPv6 or a hostname, use dvchost instead.	dvc=10.1.144.199
dvchost	dvchost	Device host name	The IP address for cn1. If the address is IPv6 or a hostname, use dvchost. If the address is IPv4, use dvc instead.	dvchost=laptop_adaggs
TrendMicroDsTags	TrendMicroDsTags	Events tags	Deep Security event tags assigned to the event	TrendMicroDsTags=suspicious
TrendMicroDsTenant	TrendMicroDsTenant	Tenant name	Deep Security tenant	TrendMicroDsTenant=Primary
TrendMicroDsTenantId	TrendMicroDsTenantId	Tenant ID	Deep Security tenant ID	TrendMicroDsTenantId=0
None	sev	Severity	The severity of the event. 1 is the lowest severity and 10 is the highest.	sev=8
None	cat	Category	Category, for example, "Integrity Monitor"	cat=Integrity Monitor
None	name	Name	Event name	name=Microsoft Windows - System file modified
None	desc	Description	Event description. Integrity Monitoring event does not have an event description, so use the event name.	desc=Microsoft Windows - System file modified

Anti-Malware Event Format

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Manager|9.6.2007|4000010|cat=Anti-Malware name=SPYWARE_KEYL_ACTIVE desc=SPYWARE_KEYL_ACTIVE sev=6 cn1=45 cn1Label=Host ID dvchost=laptop_mneil TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 cs3=C:\\Windows\\System32\\certreq.exe cs3Label=Infected Resource cs4=10 cs4Label=Resource Type cs5=50 cs5Label=Risk Level act=Clean msg=Realtime

CEF Extension Field	LEEF Extension Field	Name	Description	Examples
cn1	cn1	Host Identifier	The Agent Computer internal identifier which can be used to uniquely identify the Agent Computer from a given syslog event.	cn1=1
cn1Label	cn1Label	Host ID	The friendly name label for the field cn1.	cn1Label=Host ID
cn2	cn2	File Size	The size of the quarantine file. This extension is included only when the "direct forward" from Agent/Appliance is selected.	cn2=100
cn2Label	cn2Label	File Size	The friendly name label for the field cn2.	cn2Label=Quarantine File Size
filepath	filepath	Filepath	The location of the target file.	filePath=C:\\virus\\ei1.txt
act	act	Action	The action carried out by the Anti-malware engine. Possible values are: Deny Access, Quarantine, Delete, Pass, Clean, and Unspecified.	act=Clean act=Pass
msg	msg	Message	The type of scan. Possible values are: Realtime, Scheduled, and Manual.	msg=Realtime msg=Scheduled
dvc	dvc	Device address	The IP address for cn1. If the address is IPv4, use dvc. If the address is IPv6 or a hostname, use dvchost instead.	dvc=10.1.144.199
dvchost	dvchost	Device host name	The IP address for cn1. If the address is IPv6 or a hostname, use dvchost. If the address is IPv4, use dvc instead.	dvchost=laptop_mneil
TrendMicroDsTags	TrendMicroDsTags	Events tags	Deep Security event tags assigned to the event	TrendMicroDsTags=suspicious
TrendMicroDsTenant	TrendMicroDsTenant	Tenant name	Deep Security tenant	TrendMicroDsTenant=Primary
TrendMicroDsTenantId	TrendMicroDsTenantId	Tenant ID	Deep Security tenant ID	TrendMicroDsTenantId=0
None	sev	Severity	The severity of the event. 1 is the lowest severity and 10 is the highest.	sev=6
None	cat	Category	Category, for example, "Anti-Malware"	cat=Anti-Malware
None	name	Name	Event name	name=SPYWARE_KEYL_ACTIVE
None	desc	Description	Event description. Anti-Malware event does not have an event description, so use the event name.	desc=SPYWARE_KEYL_ACTIVE

Web Reputation Event Format

Sample LEEF Log Entry: LEEF:2.0|Trend Micro|Deep Security Manager|9.6.2007|5000000|cat=Web Reputation name=WebReputation desc=WebReputation sev=6 cn1=3 cn1Label=Host ID dvchost=hr_data2 TrendMicroDsTenant=Primary TrendMicroDsTenantId=0 request=http://yw.olx5x9ny.org.it/HvuauRH/eighgSS.htm msg=Suspicious

CEF Extension Field	LEEF Extension Field	Name	Description	Examples
cn1	cn1	Host Identifier	The Agent Computer internal identifier which can be used to uniquely identify the Agent Computer from a given syslog event.	cn1=1
cn1Label	cn1Label	Host ID	The friendly name label for the field cn1.	cn1Label=Host ID
request	request	Request	The URL of the request.	request=site.com
msg	msg	Message	The type of action. Possible values are: Realtime, Scheduled, and Manual.	msg=Realtime msg=Scheduled
dvc	dvc	Device address	The IP address for cn1. If the address is IPv4, use dvc. If the address is IPv6 or a hostname, use dvchost instead.	dvc=10.1.144.199
dvchost	dvchost	Device host name	The IP address for cn1. If the address is IPv6 or a hostname, use dvchost. If the address is IPv4, use dvc instead.	dvchost=hr_data2
TrendMicroDsTags	TrendMicroDsTags	Events tags	Deep Security event tags assigned to the event	TrendMicroDsTags=suspicious
TrendMicroDsTenant	TrendMicroDsTenant	Tenant name	Deep Security tenant	TrendMicroDsTenant=Primary
TrendMicroDsTenantId	TrendMicroDsTenantId	Tenant ID	Deep Security tenant ID	TrendMicroDsTenantId=0
None	sev	Severity	The severity of the event. 1 is the lowest severity and 10 is the highest.	sev=6
None	cat	Category	Category, for example, "Web Reputation"	cat=Web Reputation
None	name	Name	Event name	name=WebReputation
None	desc	Description	Event description. Web Reputation event does not have an event description, so use the event name.	desc=WebReputation