Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Control Manager (TMCM) Logforwarder to send Security Logs to IBM QRadar

    • Updated:
    • 25 Feb 2020
    • Product/Version:
    • Control Manager 7.0
    • Platform:
Summary

This article lists the steps to configure the Logforwarder settings to send the security logs to IBM QRadar.

The security logs (e.g. Virus/Malware logs, Behavior Monitoring logs, etc.) that will be sent originated from the TMCM network, and can be used for consolidation and reporting purposes.

Details
Public

To ensure the sending of the security logs, perform the following steps:

  1. Logon to TMCM server with admin privileges
  2. Navigate to ...\Trend Micro\Control Manager and search for Logforwarder.exe.
  3. Run the Logforwarder.exe application as an administrator.
  4. Configure the following information in the Logforwarder Tool:
    • Host: IP address of IBM Qradar
    • Protocol: UDP
    • Port: 514
    • Facility: Local0
    • Severity: Notice

    For the Log Forwarding Settings section, select the preferred options:

    Logforwarder Settings

    • Frequency: denotes the time interval when the tool will send the selected logs
    • Format: CEF or CM (Default value is CEF and more readable)
    • Logs to forward: multiple logs can be selected, but the tool will send by the order that is listed (e.g. if both C&C Callback and DLP logs are selected, the tool will send the C&C Callback logs first, before sending the DLP logs).
  5. Click Start, and then click Yes on the Log Forwarder pop-up window.
  1. Logon to IBM QRadar console, then go to Admin > Log Sources.
  2. Create a new Log Source
  3. Configure the Setting of TMCM in Log Source page:
    • Log Source Name: TMCM server
    • Log Source Description: describes the info of the TMCM Logs
    • Protocol Configuration: Syslog
    • Log Source Identifier: IP Address of the TMCM server
     
    Protocol Configuration for Logforwarder is SYSLOG. If Syslog is not available in Protocol Configuration, inform customer to coordinate it to IBM Team.
     

    QRadar Log Source

  4. Click Save.

After completing the configuration on both TMCM and IBM QRadar, confirm if the logs are sent without issues. Do the steps below:

  1. Enable TMCM_Logforwarder.log in TMCM server. Refer to this KB article: Enabling debug for Logforwarder.exe in Control Manager (TMCM) / Apex Central
  2. Run TCPDUMP in IBM QRadar Appliance. You can check this article from IBM: Verifying that QRadar receives syslog events
Premium
Internal
Partner
Rating:
Category:
Configure
Solution Id:
000243009
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.