This article lists the steps to configure the Logforwarder settings to send the security logs to IBM QRadar.
The security logs (e.g. Virus/Malware logs, Behavior Monitoring logs, etc.) that will be sent originated from the TMCM network, and can be used for consolidation and reporting purposes.
To ensure the sending of the security logs, perform the following steps:
- Logon to TMCM server with admin privileges
- Navigate to ...\Trend Micro\Control Manager and search for Logforwarder.exe.
- Run the Logforwarder.exe application as an administrator.
- Configure the following information in the Logforwarder Tool:
- Host: IP address of IBM Qradar
- Protocol: UDP
- Port: 514
- Facility: Local0
- Severity: Notice
For the Log Forwarding Settings section, select the preferred options:
- Frequency: denotes the time interval when the tool will send the selected logs
- Format: CEF or CM (Default value is CEF and more readable)
- Logs to forward: multiple logs can be selected, but the tool will send by the order that is listed (e.g. if both C&C Callback and DLP logs are selected, the tool will send the C&C Callback logs first, before sending the DLP logs).
- Click Start, and then click Yes on the Log Forwarder pop-up window.
- Logon to IBM QRadar console, then go to Admin > Log Sources.
- Create a new Log Source
- Configure the Setting of TMCM in Log Source page:
Protocol Configuration for Logforwarder is SYSLOG. If Syslog is not available in Protocol Configuration, inform customer to coordinate it to IBM Team.
- Log Source Name: TMCM server
- Log Source Description: describes the info of the TMCM Logs
- Protocol Configuration: Syslog
- Log Source Identifier: IP Address of the TMCM server
- Click Save.
After completing the configuration on both TMCM and IBM QRadar, confirm if the logs are sent without issues. Do the steps below:
- Enable TMCM_Logforwarder.log in TMCM server. Refer to this KB article: Enabling debug for Logforwarder.exe in Control Manager (TMCM) / Apex Central
- Run TCPDUMP in IBM QRadar Appliance. You can check this article from IBM: Verifying that QRadar receives syslog events