Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Syslog Forwarder Tool to send iDLP logs to syslog server

    • Updated:
    • 26 Jan 2018
    • Product/Version:
    • Control Manager 6.0
    • OfficeScan 11.0
    • OfficeScan XG.All
    • Platform:
    • Windows 2008 Datacenter 64-bit
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Standard 64-bit
    • Windows 2012 Datacenter R2
    • Windows 2012 Enterprise
    • Windows 2012 Enterprise R2
    • Windows 2012 Server R2
    • Windows 2012 Standard
    • Windows 2012 Standard R2
Summary

Some customers prefer to send Data Loss Prevention (DLP) logs to a syslog server. Learn how to utilize the syslog forwarder tool to send Integrated Data Loss Prevention (iDLP) logs to syslog server.

Details
Public

To use the Syslog Forwarder Tool:

  1. During replication, create a rule called dlP TEST1.

    dlP TEST1

    The rule contains the following:

    • Template

      Template

    • Channel

      Channel

    • Action

      Action

  2. Verify that DLP is enabled in the test OfficeScan (OSCE) agent.

    Test OSCE agent

  3. In the Control Manager (TMCM) server web console, configure the syslog server information:
    1. Go to Administration > Event Center > General Event Settings.
    2. Under Syslog Settings, indicate the IP address of the syslog server. Set the server port to "514".

      Server port

    3. Click Save.
  4. In order to forward iDLP logs to the syslog server, use the LogForwarder tool:
    1. Navigate to the TMCM installation folder and run LogForwarder.exe.

      LogForwarder

    2. Set the syslog IP address port to "514".
    3. Configure your preferred frequency format under Log Forwarding Settings.

      Log Forwarding

    4. Select "Data Loss Prevention" for "Logs to forward".
    5. Click Start.
    6. Click Yes for the Trend Micro Control Manager Log Forwarder to open a pop-up window.

      TMCM Log Forwarder

  5. Create a test iDLP file to generate the DLP violation.

    Test iDLP

    Test iDLP 1

  6. Notice that the syslog server logged the DLP violation.

    DLP violation

To know what DLP data are being sent to syslog server, please refer to the table below:

DLP data

For more information, refer to: SIEM solutions integration with Control Manager (TMCM).

Premium
Internal
Rating:
Category:
Configure; Troubleshoot
Solution Id:
1117572
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.