Views:

General

Any devices supporting TCP (Transmission Control Protocol) or TLS (Transport Layer Security) and CEF (Common Event Format) Syslog format can send logs to this service.

Network protocol: TLS (Transport Layer Security) or TCP (Transmission Control Protocol). Available Port number range is from 6514 to 6533.

Syslog log format and CEF (Common Event Format) is supported. Additionally, there are dedicated log collectors to collect data from cloud services such as Microsoft Defender for Endpoint, public cloud logs from AWS and Azure, and Microsoft Entra ID.

Some third-party products allow users to configure TLS without/ignore security/certificate verification. That may also work with our service.

Only Trend Vision One Foundation users. We do not support Poseidon users.

Follow the installation guide Third-Party Log Collection on the Trend Micro Online Help Center.

Logs are uploaded to Trend Vision One either when the package reaches 1MB in size after compression or every 60 seconds, whichever comes first.

If an incoming syslog format is incorrect, the log is dropped and not sent to Trend Vision One. The service keeps the recent invalid logs in text files for further troubleshooting.

When the service continuously processes 1,000 wrong format Syslogs, the log collection service will close the connection, allowing the device to reconnect.

The Log Per Second (LPS) limitation is 30,000 LPS in one Service Gateway. In addition to SG minimum requirement, Third Party Log Collector services requires extra 1 CPU and 128MB memory to handle 30,000 LPS.

The metrics update once per day.

Service Gateway related

On the Log Source configuration page, a service gateway will only appear in the drop-down list if it has not been used by another log source item and the third-party collection service is installed.

If a third-party log collection service has been uninstalled in a service gateway appliance, the user needs to reinstall it to see the service gateway in the drop-down list.

The log collection service in the Service Gateway allows third-party devices to send Syslogs using the TLS (Transport Layer Security) protocol. The imported certificate is used to run the TLS protocol. In the meantime, the certificate must be trusted by the customer's device. The SG default certificate can’t be trusted by any external devices because it’s not signed by any global Trusted Root Certificate Authorities. Therefore, customers have to import a server certificate that their devices can trust to the SG appliance.

After being imported to the Trend Vision One console, the new certificate typically takes 1-3 minutes to be delivered to the SG appliance hosted on the client’s network. The third-party devices may take another 1-5 minutes to reconnect to the log collection service.

Yes, your data will still be available. Data retention period depends on the setting of the Log Repo setting. Currently we only offer default repo as the data will remain searchable for 30 days.

However, the configurations of the allowed IP address and service metrics will disappear if a user removes the SG appliance and installs a new one, even if the new one applies the same IP address as the previous one. In this case, the user has to go to Log Source page and create a new entry.

The metrics are uploaded to Trend Vision One every 60 to 90 seconds. The latest metrics data and the last update time are on the appliance detail page.

If the network of the service gateway is offline, the logs are dropped and will not be sent.

Log source setting related

If the Third-Party Log Collection service is uninstalled from the service gateway, the service gateway column on the Log Source list page will be empty, and the service gateway will no longer appear in the existing data source list until you re-install it.

SG no longer appears

Click the image to enlarge.

When a user updates the Sender IP address on the Log Source Settings page, the changes take approximately 1-3 minutes to take effect. If the third-party device is still not able to connect to TLC service, we would recommend the user to review the Log Source settings and click on the Save button again to trigger the configuration synchronization process.

When users open the Third-Party Integration app and check the "Log Collection" category on the left side, they can see the connected service gateways and the latest connection time on the right side of the "Third-Party Log Collection.” The information is updated every 2 minutes.

When you delete a log source, the service gateway will still up and running for a while. After 1-3 minutes, all settings of port number and allowed IP addresses will be removed, and the service gateway will no longer accept any connections from any third-party devices.

The service will be on hold and wait for the next non-empty Log Source setting to arrive.

Search function related

To search the third-party logs, users must follow the steps to enable the new outlook.

 

enable new outlook

Click the image to enlarge.

  1. Enable Try the new Search
  2. Make sure the Third-Party Logs is selected.
  3. Type * to search all available third-party logs if user doesn’t know how to start.

Troubleshooting

Once a Collector is configured under a Log Repository, the following items can be checked to ensure end-to-end functionality:
  1. Checking the source.

    On the Log Source (3rd party device, appliance or application), check if there are any errors about sending logs to Vision One Service Gateway.

    If multiple Service Gateways are deployed within the environment, ensure that the correct Service Gateway is configured on the Log Source as it appears to the Collector configuration.

    Ensure that the Log Format is configured correctly (e.g., CEF, Syslog) on the Log Source. Check documentation of your Log Source (3rd party device, appliance or application) to determine where to configure these options.

  2. Check the Service Gateway.

    Under Data Source and Log Management > Data sources and retention > Log Repository > Collector, determine the Service Gateway used and ensure that the Third-Party Log Collection Service is Healthy.

    If it is not, then check Service Gateway Management and look for the overall status of the Service Gateway, and the installed services. Select the assigned Service Gateway, and check the Third-Party Log Collection Sources. This should also show Healthy.

  3. Monitor the volume of data.

    Under Data source and Log Management > Data Monitoring, there should be an up-tick of data ingested under the Data Ingestion widget

    Depending on the configuration, the Ingestion and retention by data source widget should also indicate would increase in either analytic or archival ingestion volume.

  4. Run some queries.

    After ensuring the configuration of both the Log Source and the Service Gateway, most production environments would already be submitting data into the Log Repository through the Log Collector configuration.

    If the Log Source being tested is not in production, is in test or staging, or is just being evaluated, then perform some activities that would incur creation of logs for collection. Generating logs for a particular event entirely depends on the Log Source. Consult the appropriate 3rd party Log Source documentation on how to generate logs for testing.

    To confirm the format of the logs, values and other necessary information are being processed and ingested correctly, go to XDR Data Explorer > Data source / processor | Third-Party Logs, and under the search bar format a search query to test the log ingestion. For example, if the sending host is 192.168.101.112, the use type in src: 192.168.101.112 on the search query bar.

If no logs are being ingested by the Log Collector, then the following steps can be taken to re-check the configuration.
  1. Perform a ping/telnet/netcat test from the Log Source (3rd party device, appliance or application) to the Service Gateway.

    Take note of the appropriate Service Gateway assigned to the Log Source as seen in Data Source and Log Management > Data Sources and Retention > Log Repository and perform the perform these tests on the Log Source itself.

    After checking the Collector configuration under Log Repository, take note of the following:

    • The tests must be done from the Log Source to the Service Gateway selected, with the correct protocol (TCP or UDP) and port number (a number between 6514 to 6533).
    • Depending on the network layout and configuration and if Log Source has multiple IP addresses associated to it, ensure that the Data source IP address is configured to the IP address that the Service Gateway will recognize the Log Source – e.g., if the Log Source is behind a NAT configuration, then this should be the egress IP address (or NAT-ted IP address) as the log traffic is received at the Service Gateway.
    • The Log timezone should also be correct, so that the timestamps will align correctly.

      If the Log Source is a hardened appliance or device, then check the logs of the Log Source as they often provide an error message if it is unable to reach the logging destination. Some Log Sources also have toggle buttons to enable sending to the logging destination, even if it is configured correctly. Enabling and disabling this setting may help or even restarting the service that oversees sending logs to the logging destination. Consult the appropriate 3rd party Log Source documentation on how to perform these activities.

  2. Confirm that the Service Gateway is healthy.

    After confirming that the Log Source is behaving as expected, check the health of the Service Gateway, and ensure that the Third-Party Log Collection Service is installed and working properly.

    Under Service Gateway Management > [desired Service Gateway] > Installed Services, disabling and re-enabling the Third-Party Log Collection Service can also be performed in attempt to reset the status of an unhealthy state. This step is not necessary if the status of the service is healthy.

    If an update is available, a notification would appear indicating the upcoming update schedule and immediately applying the update, as part of this troubleshooting step, may help. The Service Gateway Management app may also help indicate if the system resources are enough, or if another Service Gateway must be installed if the existing deployment is overloaded.

  3. Confirm if the Log Repository and the Collector is configured properly.

    Once both the Log Source and the Service Gateway has been checked, the following two configuration options can be validated:

    • Log Repository: Confirm if the ingestion type is correct – either for Analytic, or Archival.
    • Collector: Ensure that the appropriate Vendor, Product, Log Format (CEF or Syslog), Service Gateway, Protocol (TCP or UDP), Port (number between 6514 to 6533), Data source IP address and Log timezone.

    Ensure that the configuration on the Collector is the same as the Log Source (3rd party device, appliance or application). If the configuration is aligned, then it may be possible to test with the alternative configurations, such as:

    • If the Log Source allows either CEF or Syslog, switch between those two log formats.
    • If the Log Source allows either UDP or TCP, switch between those two protocols.
    • Try changing the port on the Collector and see if that will work. If the Service Gateway and the Logs Source are on separate network segments, ensure that the appropriate firewall rules are in place
    • If multiple Service Gateways are deployed and the Third-Party Log Collection Service is also installed on the other service gateway, check if the other Service Gateway will be able to process the forwarded logs.
    • Deploy a new Service Gateway with Third-Party Log Collection Service and locate the Service Gateway nearer to the desired Log Source (e.g., same network segment).
     
    At all times, ensure that the Log Source (3rd party device, appliance or application) and Log Repository > Collector configurations are aligned.

  4. Recreate the Log Repository and Collector.

    Recreating the Log Repositor or the Collector may not be necessary in normal situations but may help in troubleshooting.

    • Attempt to re-create the Collector under the Log Repository. After clicking the defined Log Repository name, take a note of the configuration. Then look for the trash bin icon to delete the log collector. After this step, you can re-create the collector.
    • To recreate another Log Repository, delete all Collectors and create a new log repository with the desired configuration. If the Log Repository has not received any data yet, then it can be deleted.
       
      While Log Repositories with Collectors or existing data cannot be deleted, but a similar Log Repository and Collector configuration can be defined.
     
    Once the Log Source (3rd party device, appliance or application), Service Gateway and Log Repository and Collector are either deleted or recreated, re-check the configuration. At all times, ensure that the Log Source (3rd party device, appliance or application) and Log Repository > Collector configurations are aligned.

  5. Test the configuration.

    Confirm that data is now being ingested under Data source and Log Management > Data Monitoring and run some search queries under XDR Data Explorer > Data source / processor | Third-Party Logs.

Yes, you can alert on issues like logs not collected from a data source for an extended period of time with the notification setting “Unusual data source and log collection status”. The common reason why the logs are not collected is due to network disruption and may recover over time.

If, after receiving the notification for “Unusual data source and log collection status” and no network disruption is expected, check the Data Source and Log Management > Data Sources and Retention > Log Repository, and look for the Status of the collector to confirm the actual state. If the status is not Healthy, then proceed to perform steps to confirm functionality (above).

Should the collector status not stay Healthy, intermittent network disruption is most often the cause or possibly the data path between the log source, Trend Vision One Service Gateway, before reaching Trend Vision One.

Keywords: trend vision one third party log collection, log collection,third party,service gateway,AI SIEM
Comments (0)