Manage Network Security instances in your VPC using CloudWatch and the Network
Security management interface. AWS CloudWatch is a tool, provided by Amazon, that
enables you to manage your instances within your Amazon account. Use the Network
Security management interface in conjunction with CloudWatch to monitor your Network
Security instances.
Update Network Security certificate
Certificates for Network Security virtual appliances expire after two years. This
might lead to your instance showing as "Not communicating" in the
Network Security management interface, even though the instance still appears to
be healthy in AWS and is still passing traffic without network disruption.
![]() |
NoteCertificates for Network Security virtual appliances that are deployed with
hosted infrastructure are managed by Trend Micro and do not require a manual
update.
|
To check if your instance certificate has expired, you can use the Network
Security CLI to search for a certificate error in the system log. You can use
the following command to search the system log for the certificate error:
show log-file system search sslv3 alert certificate
![]() |
NoteA valid SSH key pair is required to access the CLI. If you no longer have
access to your SSH key, we recommend deploying a new instance.
|
If your Network Security virtual appliance certificate has expired, use the
following steps to update your certificate.
Before you begin, make sure you have access to the following:
- A valid SSH key pair: The SSH key pair (.pem file) used to access your virtual appliance. If you no longer have access to your SSH key, we recommend deploying a new instance.
- A bastion host: Ensure that you can connect to your virtual appliance using a bastion host, VPN, or other method. Learn more about creating a bastion host.
If your Network Security virtual appliance certificate has expired, follow these
steps to update your certificate:
Procedure
- Unregister the expired appliance by navigating to Network →
Appliances in the Network Security management interface and
selecting Unregister under Select Action.
- Modify your security group settings to allow SSH access. Use ENI0 for
virtual appliances that are directly inline, and use ENI1 for appliances
behind a Gateway Load Balancer. Learn more about creating security groups.
Note
Block SSH access again after updating your certificate. - Generate a Network Security appliance deployment token. Learn more about creating appliance deployment tokens.
Note
Some instances that are older than two years might not support appliance deployment tokens. If this is the case, use an API key instead of an appliance deployment token. Learn more about creating a Trend Cloud One API key. - SSH into the Network Security virtual appliance CLI using the following
command:
ssh -i <pem-file> admin@<NSVA-mgmt-ENI-IP>
- Enter the following commands:
cloudone unregister
cloudone register <appliance deployment token>
- Confirm that your instance was updated by checking the Network →
Appliances page in the Network Security management
interface.
Note
After confirming that the instance was updated, redistribute your policies.
CloudWatch
CloudWatch is an Amazon tool that provides the following services:
- Application monitoring.
- System-wide visibility of your Network Security deployment.
- Resource optimization such as auto scaling to add or remove instances.
- Operational health.
You can also set up your CloudWatch system to send logs to an S3 bucket or to a
Slack channel. An AWS IAM role must be attached to the EC2 instance that you are
using for Network Security.
For more information about CloudWatch, refer to the AWS CloudWatch documentation page.
Enable CloudWatch logs
![]() |
NoteYour Network Security virtual appliances must use version 2020.10.0 or later
to successfully configure CloudWatch logs using APIs.
|
Use the following APIs to enable and support CloudWatch logging features in your
environment.
To enable the management interface to configure the CloudWatch log settings to
the Network Security virtual appliance:
POST /api/appliances/{id}/cloudwatchlogconfig
To enable the management interface to retrieve the CloudWatch log settings from
the Network Security virtual appliance:
GET /api/appliances/{id}/cloudwatchlogconfig
Learn more about these APIs in the API Reference.
CloudWatch log streaming using APIs scripts
To configure CloudWatch log streaming, you must use APIs. Some strategic
scripting enables you to streamline this configuration.
Before you begin
Make sure you have the following resources before you continue:
- Deploy at least one Network Security virtual appliance using version 2020.10.0 or later. [Learn more](Network Security for AWS.md).
- Create a Trend Micro Cloud One API key to authenticate API calls. Learn more.
- Download and install curl.
- Install jq for
Bash. The Bash script uses jq to parse JSON data. To verify your
installation, run the
jq --version
command from your terminal.
1. Determine the IDs of your managed virtual appliances
Before you begin configuring your CloudWatch log settings, determine the IDs of
your managed virtual appliances. You will use these IDs to enable and disable
CloudWatch logs on your the appliances.
To retrieve a list of all your managed appliances, enter the following in curl.
Replace
<YOUR_API_KEY>
with your Trend Micro Cloud One
API key and <YOUR_CLOUDONE_REGION>
with the Trend Micro
Cloud One region of your account.SECRET= "<YOUR_API_KEY>" region="<YOUR_CLOUDONE_REGION>" # For example: "us-1" url="https://network.${region}.cloudone.trendmicro.com/api/appliances" curl --location --request GET "${url}" \ --header "Authorization: ApiKey ${SECRET}" \ --header "api-version: v1"
This generates an output similar to the following:
{ "next": null, "totalCount": 1, "appliances": [{ "ID": 1, "instanceId": "i-xxxxxxxxxxxee0d24", "provider": "AWS", "hostName": "i-xxxxxxxxxxx0d24", "tosVersion": "5.5.0.10625", "dvVersion": "4.0.0.9442", "auxDv": { "Malware": { "Version": null } }, "providerMetadata": [{ "key": "accountId", "value": "XXXXXXXXXXXX" }, { "key": "availabilityZone", "value": "sa-east-1a" }, { "key": "instanceType", "value": "c5n.2xlarge" }, { "key": "region", "value": "sa-east-1" }, { "key": "vpc", "value": "vpc-xxxxxxxxxxxx06a00" }] }] }
This output indicates that you have a single Network Security virtual appliance
managed by the Trend Micro Cloud One service, and the appliance has an ID of
1
.Learn more about the structure of this appliance object output.
2. Configure CloudWatch log settings on your appliance
You can enable the following appliance logs to be streamed to CloudWatch:
- System logs
- Audit logs
- Host logs
- ipsAlert logs
- ipsBlock logs
- reputationBlock logs
- reputationAlert logs
- Quarantine logs
- SSL (TLS) logs
The following curl example shows how to stream an appliance's ipsBlock logs to
CloudWatch. In the example:
- You can specify a name for the CloudWatch Log Group variable and the Stream
variable, or accept the default values. This example specifies
network-security-block-events
for the Log Group Name, but accepts the default Stream name. - Replace
<YOUR_CLOUDONE_REGION>
with the Trend Micro Cloud One region of your account. - Replace
<YOUR_API_KEY>
with your Trend Micro Cloud One API key. - Replace
<Appliance ID>
with the ID of your appliance.
SECRET= "<YOUR_API_KEY>" region="<YOUR_CLOUDONE_REGION>" # For example: "us-1" applianceID="<Appliance ID>" curl --location --request POST "https://network.${region}.cloudone.trendmicro.com/api/appliances/${applianceID}/cloudwatchlogconfig" \ --header "Authorization: ApiKey ${SECRET}" \ --header "api-version: v1" \ --header "Content-Type: application/json" \ --data-raw '{ "logTypes": [ { "logGroupName": "network-security-block-events", "logName": "ipsBlock", "enable": true } ] }'
Learn more about the structure of this output.
3. Verify your CloudWatch log configuration
The following curl example shows how to verify your CloudWatch log configuration.
In the example:
- Replace
<YOUR_CLOUDONE_REGION>
with the Trend Micro Cloud One region of your account. - Replace
<YOUR_API_KEY>
with your Trend Micro Cloud One API key. - Replace
<Appliance ID>
with the ID of your appliance.
SECRET= "<YOUR_API_KEY>" region="<YOUR_CLOUDONE_REGION>" # For example: "us-1" applianceID="<Appliance ID>" curl --location --request GET "https://network.${region}.cloudone.trendmicro.com/api/appliances/${applianceID}/cloudwatchlogconfig" \ --header "Authorization: ApiKey ${SECRET}" \ --header "api-version: v1"
An API response similar to the
following indicates that the only log type enabled is ipsBlock:
{ "next": null, "totalCount": null, "logTypes": [ { "logGroupName": "ips", "logStreamName": "system_{instance_id}", "logName": "system", "enable": false }, { "logGroupName": "ips", "logStreamName": "audit_{instance_id}", "logName": "audit", "enable": false }, { "logGroupName": "ips", "logStreamName": "host_{instance_id}", "logName": "host", "enable": false }, { "logGroupName": "network-security-block-events", "logStreamName": "ipsBlock_{instance_id}", "logName": "ipsBlock", "enable": true }, { "logGroupName": "ips", "logStreamName": "ipsAlert_{instance_id}", "logName": "ipsAlert", "enable": false }, { "logGroupName": "ips", "logStreamName": "reputationBlock_{instance_id}", "logName": "reputationBlock", "enable": false }, { "logGroupName": "ips", "logStreamName": "reputationAlert_{instance_id}", "logName": "reputationAlert", "enable": false }, { "logGroupName": "ips", "logStreamName": "quarantine_{instance_id}", "logName": "quarantine", "enable": false } { "logGroupName": "network-security-block-events", "logStreamName": "sslInspection_{instance_id}", "logName": "sslInspection", "enable": false } ] }
In addition, the response confirms that
network-security-block-events
matches the Log Group
variable name you specified earlier, and the Stream name variable displays the
default value ipsBlock_{instance_id}
. When the log stream is
created, this {instance_id}
value will be replaced by the
actual ID of your virtual appliance.Learn more about the structure of this output.
Complete configuration example
The API script that follows enables ipsBlock and ipsAlert logs on all of your
managed virtual appliances. To execute this script:
Procedure
- Ensure that you have completed your
prerequisites.
- Paste the following example code to a
.sh
file (for example,cloudwatch-api-script.sh
), replacing<YOUR_API_KEY>
with your Trend Micro Cloud One API key and<YOUR_CLOUDONE_REGION>
with your Trend Micro Cloud One account's region, then save:SECRET= "<YOUR_API_KEY>" region="<YOUR_CLOUDONE_REGION>" # For example: "us-1" url="https://network.${region}.cloudone.trendmicro.com/api/appliances" echo "Getting list of appliances" response=$(curl --location --request GET ${url} \ --header "Authorization: ApiKey ${SECRET}" \ --header "api-version: v1" \ --silent) parsed=$(echo "${response}" | jq '.appliances') len=$(echo "$parsed" | jq '. | length') echo "Number of appliances found: $len" if [[ ${len} == 0 ]]; then echo "Try deploying an appliance using CloudFormation Script." exit else appliance="$(echo "${parsed[@]}" | jq -r .[].ID)" for id in ${appliance} do echo "Configuring AWS CloudWatch log settings on the NSVA ID: $id" curl --location --request POST "${url}/${id}/cloudwatchlogconfig" \ --header "Authorization: ApiKey ${SECRET}" \ --header "api-version: v1" \ --header "Content-Type: application/json" \ --data-raw '{ "logTypes": [ { "logGroupName": "network-security-block-events", "logName": "ipsBlock", "enable": true }, { "logGroupName": "network-security-alert-events", "logName": "ipsAlert", "enable": true } ] }' done fi
- Run the script using one of the following methods:
sh cloudwatch-api-script.sh
bash cloudwatch-api-script.sh
4. View logs in CloudWatch
After successfully configuring CloudWatch logs on your virtual appliance, follow
these steps to view the logs using the AWS Management Console:
Procedure
- Open the AWS CloudWatch console: https://console.aws.amazon.com/cloudwatch/.
- Select Log groups from the navigation pane.
- Select the log group that you want to review.
Troubleshooting tips
Status codes generally fall into three classes:
- 2xx codes indicate success
- 4xx codes indicate client errors
- 5xx codes indicate server errors
The status code for all the preceding APIs you run should be
200
.If a client or server status code is returned, consider the following
possibilities:
- 400 client code errors – Indicates an invalid payload for your API's POST method. Examine the API's response code for a detailed explanation of the error in the "additional details" field. Learn more about GET and SET payload APIs.
- 401 client code errors – Indicates an invalid API key, and
displays an
"Authorization Required"
message. Verify that your API key is correct, and try calling the API again. - 503 server code errors – Indicates that a scheduled or unscheduled outage prohibited your server from handling your request. Allow some time for the outage to end and the server to restore before calling the API again.