Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

SIEM solutions integration with Apex Central

    • Updated:
    • 5 Nov 2019
    • Product/Version:
    • Apex Central 2019
    • Platform:
Summary

Apex Central allows you to send Simple Network Management Protocol (SNMP) traps or syslog messages to notify selected recipients about events detected by managed products. You can also direct syslog messages to supported third-party products.

This article lists the steps to integrate SIEM solutions with Apex Central.

Details
Public

To integrate SIEM solutions with Apex Central, perform the following configurations:

  1. Go to Detections > Notifications > Notification Method Settings. The Notification Method Settings screen will appear.
  2. In the SNMP Trap Settings section, specify the following:
    • Community name: Type the SNMP community name.
    • Server IP address: Type the IPvor IPv6 address of the SNMP server.

    SNMP Trap

  3. Click Save.

Modify Syslog Settings

  1. Go to Detections > Notifications > Notification Method Settings. The Notification Method Settings screen will appear.
  2. In the Syslog Settings section, specify the following:
    • Server IP address: Type the IPv6 or IPv4 address of the syslog server
    • Port: The port number of the syslog server
    • Facility: Select the facility code
  3. Click Save.

Log Forwarder can send several log types from the Apex Central database to a syslog server in either Common Event Format (CEF) or Apex Central format.

Enable Syslog Forwarding

  1. Log in to Apex Central console using an Administrator account.
  2. Go to Administration > Settings > Syslog Settings. The Syslog Settings screen appears.
  3. Select the Enable syslog forwarding check box.
  4. Configure the following settings for the server that receives the forwarded syslogs:
    • Server address: Hostname or IP address of the receiving Syslog or SIEM server.
    • Port: Syslog server port number. For UDP, the IANA standard port number is 514. For TLS, it's usually port 6514.
    • Protocol: Select TCP, UDP, or SSL/TLS as the method of communication with the syslog server

    Syslog Settings

     
    If SSL/TLS is selected, Apex Central accepts valid self-signed certificates by default.
    • If the server certificate contains a Subject Alternative Name, the Subject Alternative Name must contain the server FQDN or IP address.
    • For additional security, use a valid server certificate or upload the server certificate to Apex Central.
    • Apex Central only supports server certificates in X.509 format with .DER or .PEM encoding
  5. (Optional) To use a proxy server for syslog forwarding, select the Use a SOCKS proxy server check box. Apex Central uses the proxy server configured on the Proxy Settings screen (Administration > Settings > Proxy Settings) for syslog forwarding.
     
    • Apex Central only supports syslog forwarding over a SOCKS protocol proxy server for SSL/TLS or TCP transmissions.
    • Syslog forwarding does not support HTTP proxy servers. To use a proxy server for syslog forwarding, click Configure proxy settings and select a SOCKS protocol server on the Proxy Settings screen.
  6. Select the log Format:
    • CEF: Uses the standard Common Event Format (CEF) for log messages
    • Apex Central format: Sets the syslog Facility code to "Local0" and the Severity code to "Notice"

    For more information, see Supported Log Types and Formats.

  7. Select the log type(s) to forward:
    1. Select a log category from the Log type dropdown list:
      • Security logs
      • Product information
    2. Select the check box(es) for the log(s) you want to forward. Apex Central displays the total number of selected log types next to the Log type dropdown list.
    3. (Optional) Select another log category from Log type dropdown list to select additional logs types to forward.
  8. Click Test Connection to test the server connection. The syslog server connection status will appear at the top of the screen.
  9. Click Save.
 
  • Apex Central starts forwarding logs to the configured syslog server.
  • To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.

Log Forwarder can send several log types from the Apex Central database to a syslog server in either Common Event Format (CEF) or Apex Central format.

  1. Log in to Apex Central console using an Administrator account.
  2. Go to Administration > Settings > Syslog Settings. The Syslog Settings screen appears.
  3. Select the Enable syslog forwarding check box.
  4. Configure the following settings for the server that receives the forwarded syslogs:
    • Server address: Hostname or IP address of the receiving Syslog or SIEM server.
    • Port: Syslog server port number. For UDP, the IANA standard port number is 514. For TLS, it's usually port 6514.
    • Protocol: Select TCP, UDP, or SSL/TLS as the method of communication with the syslog server

    Syslog Settings

     
    If SSL/TLS is selected, Apex Central accepts valid self-signed certificates by default.
    • If the server certificate contains a Subject Alternative Name, the Subject Alternative Name must contain the server FQDN or IP address.
    • For additional security, use a valid server certificate or upload the server certificate to Apex Central.
    • Apex Central only supports server certificates in X.509 format with .DER or .PEM encoding
  5. Select the log Format:
    • CEF: Uses the standard Common Event Format (CEF) for log messages
    • Apex Central format: Sets the syslog Facility code to "Local0" and the Severity code to "Notice"

    For more information, see Supported Log Types and Formats.

  6. Configure the Frequency for when Apex Central forwards the logs.
  7. Select the log type(s) to forward:
    1. Select a log category from the Log type dropdown list:
      • Security logs
      • Product information
    2. Select the check box for the log(s) you want to forward. Apex Central displays the total number of selected log types next to the Log type dropdown list.
    3. (Optional) Select another log category from Log type dropdown list to select additional logs types to forward.
  8. Click Test Connection to test the server connection. The syslog server connection status will appear at the top of the screen.
  9. Click Save.
 
  • Apex Central starts forwarding logs to the configured syslog server.
  • To monitor the log forwarding status, go to Administration > Command Tracking and select Forward Syslog from the Command drop-down list.
Premium
Internal
Rating:
Category:
Configure
Solution Id:
000152501
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.