WFBS-SVC allows you to export logs to syslog format using the Log Forwarder API. You can then further analyze the exported data in your syslog management tool. This article contains a step-by-step guide on how to activate the Log Forwarder API in WFBS-SVC.
- Send a request for access to the Log Forwarder API to our WFBS-SVC Technical Support team. Send your request along with your WFBS-SVC Activation Code/s by contacting Trend Micro Technical Support.
- Our WFBS-SVC Technical Support team will send you the Cloud Services Platform Integration (CSPI) key pair, which is required to setup Log Forwarder.
- Install Python on Windows, macOS or Linux. Python 3 is recommended.
- Install or upgrade pip (Python package manager) on Windows, macOS or Linux. For more information, refer to this pip documentation about Installation.
Install all required Python packages. Open Windows Command Prompt or macOS/Linux Terminal, locate pip.exe and key in the following commands:
- Download end_customer.zip or partner.zip depending on your license and extract the files using the password "trend".
Configure logfeeder.ini file. Fill in all required information.
ACCESS_TOKEN = aaaaaaaa-bbbb-cccc-dddd-eeeeeeeeeeee
SECRET_KEY = ssssssssaaaaaaaammmmmmppppppplllllllleeeeee=
SERVER_HOSTNAME = cspi.trendmicro.com
SERVER_PORT = 443
log_types = virus,spyware,wtp,url_filtering,behavior_monitoring,device_control,application_control,machine_learning,network_virus,dlp
storage_path = ./logs/
- ACCESS_TOKEN is one of the CSPI key pair provided by the Product Manager.
- SECRET_KEY is one of the CSPI key pair provided by the Product Manager.
- SERVER_HOSTNAME is the CSPI FQDN (no need to change).
- SERVER_PORT should be 443 (no need to change).
- log_types are the threat types which you would like to download from the log archive. There are 10 types of threats; each should be separated by comma.
- storage_path is the location where you would like to keep log archives (e.g. C:\logs\), Environment Variables are not supported.
- specific_customers are which customers you want to query. Use a semicolon without space to separate customers (company name). If you want to stop creating the daily log archives from a specific customer, remove the customer from this parameter (Partner only).
- append_customer_name is a toggle which determines whether it appends customer name in log or not. Use true or false to toggle on or off (Partner only; Optional).
- create_folder_using_cid is a toggle which determines whether it creates folder by cid instead customer name. Use true or false to toggle on or off (Partner only; Optional).
Sample virus logs:
Query and download the log archive. Open Windows Command Prompt or macOS/Linux Terminal and run the following command:
For End Customers:
# python end_customer_query_logs.py
For MSP Partners:
# python partner_query_logs.py
If there is any exception error while using the above scripts, check the response code and map it on the following table:
|401||Check your ACCESS_TOKEN and SECRET_KEY in logfeeder.ini and make sure that both are correct.|
|408||Please check your network connection. If your networking connection is okay, try again after 30 minutes. Contact Trend Micro Technical Support if issue remains.|
|412||Please submit your request for access to the Log Feeder API to the WFBS-SVC Product Manager.|
|500||Please try again after 30 minutes. Contact Trend Micro Technical Support if issue remains.|