Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

Activating Log Forwarder API in Worry-Free Business Security Services (WFBS-SVC)

    • Updated:
    • 22 Sep 2017
    • Product/Version:
    • Worry-Free Business Security Services 6.2
    • Platform:
    • Linux All
    • macOS High Sierra
    • macOS Sierra
    • macOS すべて
    • Windows 10 32-bit
    • Windows 10 64-bit
    • Windows 7 32-Bit
    • Windows Vista 32-bit
Summary

WFBS-SVC allows you to export logs to syslog format using the Log Forwarder API. You can then further analyze the exported data in your syslog management tool. This article contains a step-by-step guide on how to activate the Log Forwarder API in WFBS-SVC.

Details
Public
  1. Send a request for access to the Log Forwarder API to our WFBS-SVC Technical Support team. Send your request along with your WFBS-SVC Activation Code/s by contacting Trend Micro Technical Support.
  2. Our WFBS-SVC Technical Support team will send you the Cloud Services Platform Integration (CSPI) key pair and public key which are both required to setup Log Forwarder.
  1. Install Python on Windows, macOS or Linux. Python 2 is recommended.
  2. Install or upgrade pip (Python package manager) on Windows, macOS or Linux. For more information, refer to this Installing Python packages guide.
  3. Install all required Python packages. Open Windows Command Prompt or macOS/Linux Terminal, locate pip.exe and key in the following commands:

    • # pip install pycrypto==2.6.1

       

      Install Microsoft Visuall C++ Compiler for Python 2.7 in case you receive the following error message on Windows.

      Install Python_command1

      Click image to enlarge

    • # pip install requests==2.18.1

      Install Python_command2

    • # pip install pytz

      Install Python_command3

      Click image to enlarge

  1. Download end_customer.zip or vendor.zip depending on your license and extract the files using the password "trend".
  2. Configure logfeeder.ini file. Fill in all required information.

    [cspi]
    ACCESS_TOKEN = aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
    SECRET_KEY = ssssssssaaaaaaaammmmmmppppppplllllllleeeeee=
    SERVER_HOSTNAME = cspi.trendmicro.com
    SERVER_PORT = 443

    [logfeeder]
    public_file_path = ./my_public.key
    password = my_password
    log_types = virus,spyware,wtp,url_filtering,behavior_monitoring,device_control,application_control,machine_learning,network_virus,outbreak_defense
    storage_path = ./logs/

    • ACCESS_TOKEN is one of the CSPI key pair provided by the Product Manager.
    • SECRET_KEY is one of the CSPI key pair provided by the Product Manager.
    • SERVER_HOSTNAME is the CSPI FQDN (no need to change).
    • SERVER_PORT should be 443 (no need to change).
    • public_file_path is the location of your public key (e.g. C:\my_public.key), Environment Variables are not supported.
    • password is used to protect the log archives; the password is used to unzip the log archive. The "%" symbol is not supported in the password.
    • log_types are the threat types which you would like to download from the log archive. There are 10 types of threats; each should be separated by comma.
    • storage_path is the location where you would like to keep log archives (e.g. C:\logs\), Environment Variables are not supported.
  1. Subscribe the API.

     
    It takes one day to prepare the log archive of the previous day. Run the subscribe script in advance, at least one day, before running the query script.

    Make sure to update logfeeder.ini first and that the entries are correct (e.g. CSPI keys, log_types or password). Open Windows Command Prompt or macOS/Linux Terminal and run the following command:

    # python subscribe.py

    Subscribe the API_command1

    Click image to enlarge

  2. Query and download the log archive. Open Windows Command Prompt or macOS/Linux Terminal and run the following command:

    # python query_logs.py

     
    Log archives downloaded using query_logs.py are log archives of the previous day. For example, running query_logs.py on August 4 will download log archives for August 3. Log archives are created at 5:30 UTC.

    Locate the log storage path and decompress the log archives with your password.

    python query_logs.py_1

    python query_logs.py_2

    Logs

    Click image to enlarge

  3. Unsubscribe the API.

     
    If you unsubscribe log feeder API, it will not prepare the log archive on a daily basis.

    Open Windows Command Prompt or macOS/Linux Terminal and run the following command:

    # python subscribe.py --unsubscribe

    Unsubscribe the API_command

    Click image to enlarge

If you would like to customize the script for log archives download, refer to the following API documents to compose your own script. In addition, there are TWO types of API documents (End customer and Partner). Refer to the corresponding documents according to your subscription.

There are two APIs for Log Forwarder feature:

  • Subscribe API: passing subscribe types, subscribe status (0 or 1), and encrypted password. Service would use this information to generate log archive and protect files using a password.
  • Query log API: passing log time interval (start time and end time) to query logs based on the time range specified.
  • HTTP Request

    POST /SMPI/service/wfbss/customer/api/1.0/logfeeder/subscribe

  • Parameter

    NameTypeDescription
    log_typesString []

    List of log types.

    Available log types: 'virus', 'spyware', 'wtp', 'url_filtering',
    'behavior_monitoring', 'device_control', 'application_control',
    'machine_learning', 'network_virus', 'outbreak_defense'

    subscribeNumberEnable/Disable subscribe. Allowed values: 1, 0.
    passwordStringEncrypted password.
  • HTTP Request Example

    POST /SMPI/service/wfbss/customer/api/1.0/logfeeder/subscribe

  • Request Body

    {              "log_types": ["virus", "spyware"],              "subscribe": 1,              "password": "encrypted_password"  }
  • Response

    If successful, this method returns an HTTP 200 OK status code and a response body with the following structure:

    Empty response body
  • HTTP Request

    GET /SMPI/service/wfbss/customer/api/1.0/logfeeder/query_logs

  • Parameter

    NameTypeDescription
    start_timeNumberQuery start time (UNIX timestamp)
    end_timeNumberQuery start time (UNIX timestamp)
  • HTTP Request Example

    GET
    /SMPI/service/wfbss/customer/api/1.0/logfeeder/query_logs?start_time=1500866714&end_time=1500866814

  • Response

    If successful, this method returns an HTTP 200 OK status code and a response body with the following structure:

    {      "files": [          "https://wfbss-excess-log-url-filtering-test.s3.amazonaws.com/log_feeder/0000264297/2017_06_15_07_40_39/virus_2017_06_14_p000.7z?AWSAccessKeyId=AKIAIB4PHQXCALCTBZCA&Expires=1498117240&Signature=P8607N7yDvk9CaeMD8ucOZCy0yc%3D",          "https://wfbss-excess-log-url-filtering-test.s3.amazonaws.com/log_feeder/0000264297/2017_06_15_07_40_39/spyware_2017_06_14_p000.7z?AWSAccessKeyId=AKIAIB4PHQXCALCTBZCA&Expires=1498117243&Signature=XAa8pdaWbCBRJTGRRaSNyBJnKjY%3D"      ],      "last_record": 1497484799  }
  • HTTP Request

    POST /SMPI/{version}/service/wfbss/customer/api/1.0/logfeeder/subscribe

  • Parameter

    NameTypeDescription
    log_typesString []

    List of log types.

    Available log types: 'virus', 'spyware', 'wtp', 'url_filtering',
    'behavior_monitoring', 'device_control', 'application_control',
    'machine_learning', 'network_virus', 'outbreak_defense'

    subscribeNumberEnable/Disable subscribe. Allowed values: 1, 0.
    passwordStringEncrypted password.
  • HTTP Request Example

    POST /SMPI/{version}/service/wfbss/customer/api/1.0/logfeeder/subscribe

  • Request Body

    {              "log_types": ["virus", "spyware"],              "subscribe": 1,              "password": "encrypted_password"  }
  • Response

    If successful, this method returns an HTTP 200 OK status code and a response body with the following structure:

    Empty response body
  • HTTP Request

    GET /SMPI/service/wfbss/customer/api/1.0/logfeeder/query_logs

  • Parameter

    NameTypeDescription
    start_timeNumberQuery start time (UNIX timestamp)
    end_timeNumberQuery start time (UNIX timestamp)
  • HTTP Request Example

    GET
    /SMPI/service/wfbss/customer/api/1.0/logfeeder/query_logs?start_time=1500866714&end_time=1500866814

  • Response

    If successful, this method returns an HTTP 200 OK status code and a response body with the following structure:

    {      "files": [          "https://wfbss-excess-log-url-filtering-test.s3.amazonaws.com/log_feeder/0000264297/2017_06_15_07_40_39/virus_2017_06_14_p000.7z?AWSAccessKeyId=AKIAIB4PHQXCALCTBZCA&Expires=1498117240&Signature=P8607N7yDvk9CaeMD8ucOZCy0yc%3D",          "https://wfbss-excess-log-url-filtering-test.s3.amazonaws.com/log_feeder/0000264297/2017_06_15_07_40_39/spyware_2017_06_14_p000.7z?AWSAccessKeyId=AKIAIB4PHQXCALCTBZCA&Expires=1498117243&Signature=XAa8pdaWbCBRJTGRRaSNyBJnKjY%3D"      ],      "last_record": 1497484799  }

If there is any exception error while using the above scripts, check the response code and map it on the following table:

Error CodeDescription
400Subscribe shoud be either 0 or 1; query time range should not be too large or small (the interval should be between 0 and 4294967295).
401Check your ACCESS_TOKEN and SECRET_KEY in logfeeder.ini and make sure that both are correct.
406password length should not be over 100 characters and not contain an invalid character.
408Please check your network connection. If your networking connection is okay, try again after 30 minutes. Contact Trend Micro Technical Support if issue remains.
411log type should contain at least one of the following: virus, spyware, wtp, url_filtering, behavior_monitoring, device_control, application_control, machine_learning, network_virus, outbreak_defense.
412Please submit your request for access to the Log Feeder API to the WFBS-SVC Product Manager.
500Please try again after 30 minutes. Contact Trend Micro Technical Support if issue remains.
Premium
Internal
Rating:
Category:
Configure; SPEC
Solution Id:
1118040
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support


To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.