Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Configuring Splunk Application to display syslog of Control Manager (TMCM)

    • Updated:
    • 18 Apr 2018
    • Product/Version:
    • Control Manager 6.0
    • Control Manager 7.0
    • Platform:
    • Windows 2003 Server R2
    • Windows 2008 Enterprise
    • Windows 2008 Enterprise 64-bit
    • Windows 2008 Server R2
    • Windows 2008 Standard
    • Windows 2008 Standard 64-bit
    • Windows 2012 Enterprise
    • Windows 2012 Standard R2
Summary

TMCM has a Proof-of-Concept (PoC) of building Splunk Application based on TMCM 6.0 and later versions. This article can be used as reference to allow the Splunk Application to display syslog of TMCM.

Details
Public

To configure the Splunk application, follow the steps below:

For TMCM 7.0

  1. Login to the TMCM web console, and go to Notifications > Notification Method Settings.
  2. In the Syslog Settings section, specify the following:
      • Server IP address: Type the IPv4 or IPv6 address of the syslog server.
      • Port: The the port number of the syslog server.
      • Facility: Select the facility code.

    Syslog Settings

  3. Click Save.
  4. Go to Notification > Event Notifications.
  5. Select the Event type, then on the right pane, slide the switch to enable the notification for the events that you prefer.
  6. Configure the Notification Methods by clicking on the Event (e.g. Virus found - first and second actions unsuccessful).

    Event Notifications

  7. In the Notification Methods section, tick Syslog.

    Notification Method

  8. Click Save.

For TMCM 6.0

  1. Login to the TMCM web console, and go to Administration > Event Center > General Event Settings.
  2. In the Syslog Settings section, specify the following:
    • Server IP address: Type the IPv4 or IPv6 address of the syslog server.
    • Server Port: The the port number of the syslog server.
    • Facility: Select the facility code.

    Syslog Settings

  3. Click Save.
  4. Go to Administration > Event Center > Event Notifications.
  5. Select the Event type, and tick the checkbox to enable the notification for the events that you prefer.
  6. Configure the Notification methods by clicking on the Recipients (e.g. Virus found - first and second actions unsuccessful).

    Event Category

  7. In the Notification methods section, tick Syslog.

    Notification Method

  8. Click Save.
  1. Click Add data.

    Add Data

  2. Choose syslog.

    Choose syslog

  3. Choose Consume syslog over UDP.

    syslog over UDP

  4. Set the communication port, and choose syslogas the source type list.

    Select Source Type

  5. Check the readiness of syslog:
    1. Choose Manage Inputs.

      Manage Inputs

    2. Select UDP.

      Select UDP

    3. Check the setting, the following values should be seen:
      • UDP Port: 514
      • Source Type: syslog

      UDP Page

  1. From the APP menu, click Dashboard.

    Click Dashboards

  2. Click Create New Dashboard.

    New Dashboard

  3. Provide a title of your preference (e.g. Top 20 Threats), then click Create Dashboard.

    Dashboard Details

  4. Click Edit Source.

    Edit Source

  5. Paste the XML codes into editor, then click Save.

    XML Code

    A sample XML template can be downloaded here. This XML template is a sample and can be modified depending on what needs to be displayed on the dashboard that will be created.
  6. The new dashboard will read the TMCM logs and generate a panel similar to the image below:

    Dashboard Home

Premium
Internal
Rating:
Category:
Configure; Deploy; Migrate
Solution Id:
1117821
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.