Views:
  1. Send a request for access to the Log Forwarder API to our WFBS-SVC Technical Support team. Send your request along with your WFBS-SVC Activation Code/s by contacting Trend Micro Technical Support.
  2. Our WFBS-SVC Technical Support team will send you the Cloud Services Platform Integration (CSPI) key pair, which is required to setup Log Forwarder.
  1. Install Python on Windows, macOS or Linux. Python 3 is recommended.
  2. Install or upgrade pip (Python package manager) on Windows, macOS or Linux. For more information, refer to this pip documentation about Installation.
  3. Install all required Python packages. Open Windows Command Prompt or macOS/Linux Terminal, locate pip.exe and key in the following commands:
    • Python 2

      # pip install requests==2.18.1

      Module state

      # pip install pytz

      Module state

    • Python 3

      # pip3 install requests

      Module state

      # pip3 install pytz

      Module state

  1. Download end_customer.zip , and extract the files using the password "trend".
  2. Configure logfeeder.ini file. Look for the [cspi] section, and fill in the required information:

    [cspi]
    ACCESS_TOKEN = aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
    SECRET_KEY = ssssssssaaaaaaaammmmmmppppppplllllllleeeeee=
    SERVER_HOSTNAME

    • NABU: smpi-nabu.sco.trendmicro.com
    • EMEA: smpi-emea.sco.trendmicro.com
    SERVER_PORT = 443

    [logfeeder]
    log_types = virus,spyware,wtp,url_filtering,behavior_monitoring,device_control,application_control,machine_learning,network_virus,dlp
    storage_path = ./logs/

    • ACCESS_TOKEN is one of the CSPI key pair provided by the Product Manager.
    • SECRET_KEY is one of the CSPI key pair provided by the Product Manager.
    • SERVER_HOSTNAME is the CSPI FQDN.
    • SERVER_PORT should be 443 (no need to change).
    • log_types are the threat types which you would like to download from the log archive. There are 10 types of threats; each should be separated by comma.
    • storage_path is the location where you would like to keep log archives (e.g. C:\logs\), Environment Variables are not supported.

    Sample virus logs:

    sample

Query and download the log archive. Open Windows Command Prompt or macOS/Linux Terminal and run the following command:

# python end_customer_query_logs.py

 
The downloaded log archives contain data from 15 minutes ago. For example, running query_logs.py at 5:00 downloads log archives from 4:45 – 5:00 in the customer’s time zone. Take note that you cannot query twice every 15 minutes, this is to prevent the API to query too frequently.
 

query log archive

 
For those who want to run this script through a proxy, you can simply set up system proxy on the target machine. If ever the customer would be using the proxy, the backend logs will only show source IP.
 

If there is any exception error while using the above scripts, check the response code and map it on the following table:

Error CodeDescription
401Check your ACCESS_TOKEN and SECRET_KEY in logfeeder.ini and make sure that both are correct.
408Please check your network connection. If your networking connection is okay, try again after 30 minutes. Contact Trend Micro Technical Support if issue remains.
412Please submit your request for access to the Log Feeder API to the WFBS-SVC Product Manager.
500Please try again after 30 minutes. Contact Trend Micro Technical Support if issue remains.
Comments (0)