Views:
In this type of syslog content mapping, provide the CEF Keys field in the format of {CEF Key 1}|{CEF Key 2}|...|{CEF Key n}, separated by a "|".
The following table outlines the syslog content mapping between predefined/custom extension CEF keys and Trend Micro Web Security log output (value).

CEF Access Logs

CEF Key
Description
Value
Header (logVer)
CEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product name
Trend Micro Web Security
Header (pver)
Appliance version
Example: 3.0.0.2042
Header (eventid)
Signature ID
Example: 100000
Header (eventName)
Description
Access Log
Header (severity)
Risk level
  • 0: act=allow/analyze
  • 1: act=monitor/warn/override
  • 2: act=block
rt
UTC timestamp
Example: Jul 05 2018 07:54:15 +0000
logType
Log type
  • 1: Successful access log
  • 5: Failed HTTPS access log
companyID
Company ID
Example: 7800fcab-7611-416c-9ab4-721b7bd6b076
adDomain
AD domain
Example: trendmicro.com.cn
userName
User name or client IP
Example: 10.204.214.188
groupName
Group name
Example: testgroup1
userDepartment
User department
Example: finance department
gatewayName
Gateway name
Example: on-premise-2051
app
Protocol used
  • 1: HTTP
  • 2: HTTPS
  • 3: HTTP/2
transportBytes
Body size of a request or response
Example: 221030
dst
Destination IP address of a request
Example: 54.231.184.240
src
Source IP address of a request
Example: 10.204.214.188
upStreamSize
Upstream payload from Trend Micro Web Security to server, unit bytes
Example: 501
downStreamSize
Downstream payload from server to Trend Micro Web Security, unit bytes
Example: 220529
domainName
URL domain
Example: clients4.google.com
scanType
Scan type
  • 0: Not match any rule
  • 1: Client certificate is required
  • 2: Untrusted server certificate
  • 10: Approved URLs/Blocked URLs
  • 13: Client not allowed
  • 14: Destination port not allowed
  • 15: Access to private address
  • 20: Web Reputation service
  • 21: URL filtering
  • 30: True file type
  • 33: MIME type
  • 34: File extension name
  • 40: Anti-malware
  • 41: Unscannable files
  • 45: Predictive machine learning
  • 50: Anti-botnet
  • 60: Application control
  • 70: Suspicious Object Analysis (Virtual Analyzer)
  • 90: Suspicious Object Filtering (Virtual Analyzer)
  • 100: Data loss prevention
  • 110: Ransomware
policyName
Policy name
Example: default
profileName
Profile name
Example: default
severity
WRS score threshold
  • 0: WRS is disabled
  • 50: WRS security level=Low
  • 65: WRS security level=Medium
  • 80: WRS security level=high
principalName
Principal name
Example: testuser@trendmicro.com.cn
cat
URL category
Example: Search Engines/Portals
appName
Application name
Example: Google
wrsScore
WRS score
Example: 81
malwareType
Malware type
  • 1: Virus
  • 2: Spyware
  • 3: Joke
  • 4: Trojan
  • 5: Test_Virus
  • 6: Packer
  • 7: Generic
  • 8: Other
  • 9: Botnet
malwareName
Malware name
Example: HEUR_OLEXP.B
fname
File name
Example: sample_nice_dda_heurb_1177077.ppt-1
filehash
SHA-1
Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504
act
Action
  • allow
  • monitor
  • block
  • warn
  • override
  • analyze
httpTrans
HTTP transaction
JSON format. Example:{"http_req":{ "method":"GET","scheme":"http","path":"index.html","host":www.sina.com.cn,"headers":{"header_1":"value_1", ...}},"http_response":{"status_code":"200","headers":{...}}}
macAddress
MAC address of the Windows endpoint with the Enforcement Agent installed
Example: 00-50-56-89-02-14
Note
Note
This CEF key cannot be applied to the on-premises gateway.
Access log output sample 1:
CEF:0|Trend Micro|Trend Micro Web Security|3.0.0.2040|100000|Access Log|0| 
wrsScore=81 macAddress=00-50-56-89-02-14 companyID=7800fcab-7611-416c-9ab4-721b7bd6b076 app=2 
upStreamSize=1064 userDepartment= scanType=0 malwareType=0 
httpTrans={"http_req":{"headers":{"host":"clients4.google.com:443",
"proxy-connection":"keep-alive","user-agent":"Chrome WIN 67.0.3396.99 
(a337fbf3c2ab8ebc6b64b0bfdce73a20e2e2252b-refs/branch-heads/3396@{#790}) channel(stable)"},
"host":"clients4.google.com","method":"CONNECT","path":"","scheme":"https"},
"http_response":{"headers":{"content-length":"0"},"status_code":200},"ver":"1.0"}  
malwareName= rt=Jul 29 2018 19:34:11 +0000 policyName=default severity=65 filehash= 
logType=1 dst=172.217.24.206 appName=Google groupName= fname= adDomain= 
gatewayName=on-premise-2040 principalName= downStreamSize=4607 profileName= 
userName=10.204.214.188 src=10.204.214.188 transportBytes=5787
domainName=clients4.google.com cat=Search Engines/Portals act=allow
Access log output sample 2:
CEF:0|Trend Micro|Trend Micro Web Security|3.0.0.2051|100000|Access Log|0| 
wrsScore=49 macAddress=00-50-56-89-02-14 companyID=7800fcab-7611-416c-9ab4-721b7bd6b076 
app=1 upStreamSize=501 userDepartment= scanType=70 malwareType=8 
httpTrans={"http_req":{"headers":{"accept-encoding":"gzip,deflate",
"host":"s3-us-west-2.amazonaws.com","user-agent":"Mozilla/5.0 
(Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/67.0.3396.99
Safari/537.36","x-forwarded-for":"10.204.214.188"},"host":"s3-us-west-2.amazonaws.com",
"method":"GET","path":"dda-demo-samples/SAMPLE_NICE_DDA_HEURB_1177077.ppt-1",
"scheme":"http"},"http_response":{"headers":{"content-length":"220160",
"content-type":"binary/octet-stream"},"status_code":200},"ver":"1.0"}
malwareName=HEUR_OLEXP.B rt=Aug 06 2018 02:24:15 +0000 policyName=default severity=0
filehash=3f21be4521b5278fb14b8f47afcabe08a17dc504 logType=1 dst=54.231.184.240 
appName=Amazon Web Services (AWS) groupName= fname=sample_nice_dda_heurb_1177077.ppt-1 
adDomain= gatewayName=on-premise-2051 principalName= downStreamSize=220529 
profileName=default userName=10.204.214.188 src=10.204.214.188 transportBytes=221030
domainName=s3-us-west-2.amazonaws.com cat=Malware Accomplice act=analyze

CEF Audit Logs

CEF Key
Description
Value
Header (logVer)
CEF format version
CEF: 0
Header (vendor)
Appliance vendor
Trend Micro
Header (pname)
Appliance product name
Trend Micro Web Security
Header (pver)
Appliance version
Example: 3.4.1.5449
Header (eventid)
Signature ID
Example: 100001
Header (eventName)
Description
Audit Log
Header (severity)
Risk level
0
rt
UTC timestamp
Example: Nov 04 2020 02:15:06 +0000
userName
Email address
Example: user@example.com
companyID
Company ID
Example: 7800fcab-7611-416c-9ab4-721b7bd6b076
logType
Log type
3: Audit Log
act
Administrative operation
Example: Administrator Log On
httpTrans
Detailed operation information
See the output samples below
Note
Note
The other CEF keys not listed in the table are not available for audit logs. Therefore, they will not be in the output if configured in CEF keys.
Audit log output sample 1:
Nov 20 07:59:31 10.206.197.118 CEF: 0|Trend Micro|Trend Micro Web Security|
3.4.1.5478|100001|Audit Log|0|userName=admin@trendmicro.com.cn rt=Nov 20 2020 07:58:15 +0000 
companyID=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 httpTrans={"userName": "test2", "role": "admin", 
"groups": [], "department": "H:5fa006fc-02e0-11eb-8042-005056897f14", "password": "******", 
"email": "test2@trendmicro.com.cn"} logType=3 act=Add Hosted User
Audit log output sample 2:
Nov 20 07:49:32 10.206.197.118 CEF: 0|Trend Micro|Trend Micro Web Security|
3.4.1.5478|100001|Audit Log|0|userName=admin@trendmicro.com.cn rt=Nov 20 2020 07:47:50 +0000 
companyID=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 httpTrans={"password": "******", 
"userId": "admin@trendmicro.com.cn", "tenantId": "tm"} logType=3 act=Administrator Log On