Sign In with your
Trend Micro Account
Need Help?
Need More Help?

Create a technical support case if you need further support.

How to send Endpoint Application Control (EAC) 2.0 policy violation events to Syslog Server

    • Updated:
    • 3 Sep 2018
    • Product/Version:
    • Endpoint Application Control 2.0
    • Platform:
    • N/A N/A
Summary

Use this article to perform the following tasks:

  • Configure Splunk to receive application events from the EAC server
  • Create a PowerShell script and Windows Task Scheduler to automatically send application events hourly to Splunk or any Syslog servers
Details
Public

Follow these steps:

  1. Enable Splunk to listen to UDP port 514.
    1. Log on to your Splunk server.

      login

    2. Go to Settings > Add Data.

      add

    3. Click Monitor.

      monitor

    4. Select TCP/UDP.

      tcp udp

    5. Select UDP, and set port to 514. Click Next.

      set port514

    6. Change “Source Type” to “metrics_csv”, and click Review>.

      metrics csv

    7. Review and click Submit to complete the setup.

      Submit

      Submit

  2. Create a PowerShell Script that will generate EAC raw application events from last hour and send to Splunk.
    1. Copy the following PowerShell Script to a notepad and save it as “tmeac_generate_raw_events_send_syslog.ps1”.
      # TMEAC URL and Console Login
      $username = "root"
      $password = "rootpassword"
      $server = "http://eac-server:8080"

      # Last-hour Application Event Date Range
      $now = (Get-Date).ToUniversalTime()
      $from = $now.AddHours(-1)
      $to = $from.AddHours(1)
      $range = ("[{0:yyyy-MM-dd'T'HH:00:00} TO {1:yyyy-MM-dd'T'HH:00:00}]" -f $from, $to)
      $range = [uri]::EscapeDataString($range)

      # Application Events Output Log File
      $base64AuthInfo = [Convert]::ToBase64String([Text.Encoding]::ASCII.GetBytes(("{0}:{1}" -f $username,$password)))
      $url = "$server/acserver/es/events/event/_data?format=csv&csv.separator=,&size=1000&df=received&q=$range"
      Invoke-RestMethod -Headers @{Authorization=("Basic {0}" -f $base64AuthInfo)} `
      -Uri $url `
      -OutFile tmeac_raw_events.log

      # Syslog Server UDP Protocol Settings
      [int] $port=514 #Listening Port of Syslog Server/SIEM Server
      $IP="syslog.server" #IP Address of Syslog Server/SIEM Server
      $log_filename=Get-Content "tmeac_raw_events.log" | select -skip 1 #Filename of Raw Events generated, must match above

      foreach ($line in $log_filename)
      {
      # Parse per line
      Write-Host "Start sending data to Syslog / SIEM Server"
      Write-Host $line

      # TMEAC Raw Events Send Action
      $address= [system.net.IPAddress]::Parse($IP)
      $endpoint = new-object System.Net.IPEndPoint $address, $port
      $udpclient=new-Object System.Net.Sockets.UdpClient
      $b=[Text.Encoding]::ASCII.GetBytes($line)
      $bytesSent=$udpclient.Send($b,$b.length,$endpoint)
      $udpclient.Close()
      }
      Write-Host "Completed!!!"
       
      Modify the following parts of the script according to your environment.
      $username = "root"
      $password = "rootpassword"
      $server = "http://eac-server:8080"
      $IP="syslog.server"
    2. Open Windows PowerShell and execute the script to test.

      For instance: >.\tmeac_generate_raw_events_send_syslog.ps1

      script

     
    A tmeac_raw_events.log file will be created on the same folder where you ran the script. To properly view it, save the file as .CSV and open it using MS Excel.

    raw events

  3. Verify that the EAC Policy Events are received by the Splunk server.
    1. Log on to the Splunk server and go to “Search & Reporting”.

      reporting

    2. Click Data Summary.

      data summary

    3. Click Sources and select “udp:514”.

      udp:514

    4. Verify if the raw EAC Policy Event is displayed.

      policy event

    Syslog administrators can extract the fields needed for creating an EAC Report or a statistical display of Application Control Policy Violations.

  4. Create a Task Scheduler that will automatically run the PowerShell Script hourly.
    1. Open a Command prompt (cmd.exe) and run the following:

      >schtasks /create /TN tmeac_splunk /TR "powershell.exe -file C:\temp\tmeac_generate_raw_events_send_syslog.ps1" /SC HOURLY /RU system

    2. Open Task Scheduler and verify that the scheduled task is created.

      taskscheduler

Premium
Internal
Rating:
Category:
Configure
Solution Id:
1120625
Feedback
Did this article help you?

Thank you for your feedback!

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.

If you need additional help, you may try to contact the support team. Contact Support

To help us improve the quality of this article, please leave your email here so we can clarify further your feedback, if neccessary:
We will not send you spam or share your email address.

*This form is automated system. General questions, technical, sales, and product-related issues submitted through this form will not be answered.