Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Activating Log Forwarder API in Worry-Free Business Security Services (WFBS-SVC)

    • Updated:
    • 29 Apr 2021
    • Product/Version:
    • Worry-Free Business Security Services 6.5
    • Worry-Free Business Security Services 6.7
    • Platform:
    • Linux All
    • macOS High Sierra
    • macOS Sierra
    • macOS すべて
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 7 32-Bit
    • Windows Vista 32-bit
Summary

WFBS-SVC allows you to export logs to syslog format using the Log Forwarder API. You can then further analyze the exported data in your syslog management tool. This article contains a step-by-step guide on how to activate the Log Forwarder API in WFBS-SVC.

Details
Public
  1. Send a request for access to the Log Forwarder API to our WFBS-SVC Technical Support team. Send your request along with your WFBS-SVC Activation Code/s by contacting Trend Micro Technical Support.
  2. Our WFBS-SVC Technical Support team will send you the Cloud Services Platform Integration (CSPI) key pair, which is required to setup Log Forwarder.
  1. Install Python on Windows, macOS or Linux. Python 3 is recommended.
  2. Install or upgrade pip (Python package manager) on Windows, macOS or Linux. For more information, refer to this pip documentation about Installation.
  3. Install all required Python packages. Open Windows Command Prompt or macOS/Linux Terminal, locate pip.exe and key in the following commands:

    • # pip install requests==2.18.1

      Install Python_command2

    • # pip install pytz

      Install Python_command3

  1. Download end_customer.zip or partner.zip depending on your license and extract the files using the password "trend".
  2. Configure logfeeder.ini file. Fill in all required information.

    [cspi]
    ACCESS_TOKEN = aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
    SECRET_KEY = ssssssssaaaaaaaammmmmmppppppplllllllleeeeee=
    SERVER_HOSTNAME = cspi.trendmicro.com
    SERVER_PORT = 443

    [logfeeder]
    log_types = virus,spyware,wtp,url_filtering,behavior_monitoring,device_control,application_control,machine_learning,network_virus,dlp
    storage_path = ./logs/

    • ACCESS_TOKEN is one of the CSPI key pair provided by the Product Manager.
    • SECRET_KEY is one of the CSPI key pair provided by the Product Manager.
    • SERVER_HOSTNAME is the CSPI FQDN (no need to change).
    • SERVER_PORT should be 443 (no need to change).
    • log_types are the threat types which you would like to download from the log archive. There are 10 types of threats; each should be separated by comma.
    • storage_path is the location where you would like to keep log archives (e.g. C:\logs\), Environment Variables are not supported.
    • specific_customers are which customers you want to query. Use a semicolon without space to separate customers (company name). If you want to stop creating the daily log archives from a specific customer, remove the customer from this parameter (Partner only).
    • append_customer_name is a toggle which determines whether it appends customer name in log or not. Use true or false to toggle on or off (Partner only; Optional).
    • create_folder_using_cid is a toggle which determines whether it creates folder by cid instead customer name. Use true or false to toggle on or off (Partner only; Optional).

    Sample virus logs:

    sample

Query and download the log archive. Open Windows Command Prompt or macOS/Linux Terminal and run the following command:

  • For End Customers:

    # python end_customer_query_logs.py

  • For MSP Partners:

    # python partner_query_logs.py

 
The downloaded log archives contain data from 15 minutes ago. For example, running query_logs.py at 5:00 downloads log archives from 4:45 – 5:00 in the customer’s time zone. Take note that you cannot query twice every 15 minutes, this is to prevent the API to query too frequently.
 

query log archive

 
For those who want to run this script through a proxy, you can simply set up system proxy on the target machine. If ever the customer would be using the proxy, the backend logs will only show source IP.
 

If there is any exception error while using the above scripts, check the response code and map it on the following table:

Error CodeDescription
401Check your ACCESS_TOKEN and SECRET_KEY in logfeeder.ini and make sure that both are correct.
408Please check your network connection. If your networking connection is okay, try again after 30 minutes. Contact Trend Micro Technical Support if issue remains.
412Please submit your request for access to the Log Feeder API to the WFBS-SVC Product Manager.
500Please try again after 30 minutes. Contact Trend Micro Technical Support if issue remains.
Premium
Internal
Partner
Rating:
Category:
Configure; SPEC
Solution Id:
1118040
Feedback
Did this article help you?

Thank you for your feedback!


*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.