Syslog Content Mapping Type 2

• user-defined-key is defined by the customer.
• value can be a variable or a constant value. The variable is formatted as %{variable} and supports the following:
  • Predefined/custom extension CEF keys
    Example: %{rt}, %{wrsScore}
  • HTTP header fields in requests and responses, all in lowercase
    Example: %{user-agent_q} refers to the User-Agent field in a request message; %{content-length_s} refers to the Content-Length field in a response message

Note To comply with the ArcSight CEF standard, Trend Micro recommends separating key-value pairs by a space.

CEF Access Logs

Variable	Description	Value
Header (logVer)	CEF format version	CEF: 0
Header (vendor)	Appliance vendor	Trend Micro
Header (pname)	Appliance product name	Trend Micro Web Security
Header (pver)	Appliance version	Example: 3.0.0.2042
Header (eventid)	Signature ID	Example: 100000
Header (eventName)	Description	Access Log
Header (severity)	Risk level	0: act=allow/analyze 1: act=monitor/warn/override 2: act=block
rt	UTC timestamp	Example: Jul 05 2018 07:54:15 +0000
logType	Log type	1: Successful access log 5: Failed HTTPS access log
companyID	Company ID	Example: 7800fcab-7611-416c-9ab4-721b7bd6b076
adDomain	AD domain	Example: trendmicro.com.cn
userName	User name or client IP	Example: 10.204.214.188
groupName	Group name	Example: testgroup1
userDepartment	User department	Example: finance department
gatewayName	Gateway name	Example: on-premise-2051
app	Protocol used	1: HTTP 2: HTTPS 3: HTTP/2
transportBytes	Body size of a request or response	Example: 221030
dst	Destination IP address of a request	Example: 54.231.184.240
src	Source IP address of a request	Example: 10.204.214.188
upStreamSize	Upstream payload from Trend Micro Web Security to server, unit bytes	Example: 501
downStreamSize	Downstream payload from server to Trend Micro Web Security, unit bytes	Example: 220529
domainName	URL domain	Example: clients4.google.com
scanType	Scan type	0: Not match any rule 1: Client certificate is required 2: Untrusted server certificate 10: Approved URLs/Blocked URLs 13: Client not allowed 14: Destination port not allowed 15: Access to private address 20: Web Reputation service 21: URL filtering 30: True file type 33: MIME type 34: File extension name 40: Anti-malware 41: Unscannable files 45: Predictive machine learning 50: Anti-botnet 60: Application control 70: Suspicious Object Analysis (Virtual Analyzer) 90: Suspicious Object Filtering (Virtual Analyzer) 100: Data loss prevention 110: Ransomware
policyName	Policy name	Example: default
profileName	Profile name	Example: default
severity	WRS score threshold	0: WRS is disabled 50: WRS security level=Low 65: WRS security level=Medium 80: WRS security level=high
principalName	Principal name	Example: testuser@trendmicro.com.cn
cat	URL category	Example: Search Engines/Portals
appName	Application name	Example: Google
wrsScore	WRS score	Example: 81
malwareType	Malware type	1: Virus 2: Spyware 3: Joke 4: Trojan 5: Test_Virus 6: Packer 7: Generic 8: Other 9: Botnet
malwareName	Malware name	Example: HEUR_OLEXP.B
fname	File name	Example: sample_nice_dda_heurb_1177077.ppt-1
filehash	SHA-1	Example: 3f21be4521b5278fb14b8f47afcabe08a17dc504
act	Action	allow monitor block warn override analyze
httpTrans	HTTP transaction	JSON format. Example:{"http_req":{ "method":"GET","scheme":"http","path":"index.html","host":www.sina.com.cn,"headers":{"header_1":"value_1", ...}},"http_response":{"status_code":"200","headers":{...}}}
method	HTTP method	Example: GET, PUT, POST
version	HTTP version	Example: 1.1
path	HTTP request path	Example: example.html
host	HTTP request host	Example: client2.example.com
status_code	HTTP response status code	Example: 200, 404, 503 Note The value –1 indicates that the request is blocked or some unexpected situation occurs.
scheme	HTTP or HTTPS protocol	Example: HTTP, HTTPS
url	Combination of scheme, host, and path	Example: https://client2.example.com/example.html
<http-request-header-name>_q	HTTP request header field	Example: User-Agent: Mozilla/5.0 Note The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security. The value of the cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log.
<http-response-header-name>_s	HTTP response header field	Example: Content-Length: 348 Note The value of a variable, when configured in CEF Keys, will be null if there is no corresponding data recorded in the raw log of Trend Micro Web Security. The value of the set-cookie variable will always be null because Trend Micro Web Security does not record cookies in the raw log.
macAddress	MAC address of the Windows endpoint with the Enforcement Agent installed	Example: 00-50-56-89-02-14 Note This CEF key cannot be applied to the on-premises gateway.

May 23 03:09:30 10.206.197.102 CEF: 0|Trend Micro|Trend Micro Web Security|3.7.5.5642|100000|Access Log|1|rt=May 23 2022 03:00:22 +0000 
logType=1 companyId=e3cdd29e-11aa-4e20-bd4d-180dd3a6e938 adDomain=e2e-uw2-hybrid.com 
user=admin group= dep= device=roaming user application=2 traffic=466 dst=172.217.14.202 src=3.94.52.82 inbound=335 
outbound=131 domain=optimizationguide-pa.googleapis.com scanType=0 policy=block-all profile= severity=0 
principalname=admin@e2e-uw2-hybrid.com cat=Computers/Internet appName=The Secure HyperText Transfer Protocol wrs=81 
malwareType=0 malwareName= filename= filehash= action=allow httpTrans={"http_req": {"body_len": 0, "headers": 
{"host": "optimizationguide-pa.googleapis.com:443", "proxy-connection": "keep-alive", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)
 AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36"}, "host": "optimizationguide-pa.googleapis.com", 
"version": "1.1", "path": "", "scheme": "https", "method": "CONNECT"}, "ver": "1.1", "http_response": {"body_len": 0, "headers": 
{"true-file-type": "0", "via": "http/1.1 localhost.localdomain.test1 (TMWS)", "proxy-connection": "close"}, "version": "1.1", 
"status_code": 200}} method=CONNECT httpversion=1.1 path= host=optimizationguide-pa.googleapis.com status_code=200 scheme=https 
RequestUrl=https://optimizationguide-pa.googleapis.com:443/ macAddress=00-50-56-89-02-14

May 23 06:59:33 10.206.197.102 CEF: 0|Trend Micro|Trend Micro Web Security|3.7.5.5642|100000|Access Log|1|rt=May 23 2022 06:52:28 +0000 
logType=1 companyId=e3cdd29e-11aa-4e20-bd4d-180dd3a6e938 adDomain=e2e-uw2-hybrid.com user=admin 
group= dep= device=roaming user application=1 traffic=0 dst=104.193.88.77 src=3.94.52.82 inbound=0 outbound=0 domain=www.baidu.com 
scanType=60 policy=block-all profile= severity=0 principalname=admin@e2e-uw2-hybrid.com cat=Computers/Internet appName=Baidu 
wrs=81 malwareType=0 malwareName= filename= filehash= action=block httpTrans={"http_req": {"body_len": 0, "headers": 
{"accept-language": "en-US,en;q\=0.9", "accept-encoding": "gzip, deflate", "accept": 
"text/html,application/xhtml+xml,application/xml;q\=0.9,image/avif,image/webp,image/apng,*/*;q\=0.8,application/signed-exchange;v\=b3;q\=0.9", 
"upgrade-insecure-requests": "1", "host": "www.baidu.com", "user-agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64) 
AppleWebKit/537.36 (KHTML, like Gecko) Chrome/101.0.4951.67 Safari/537.36", "proxy-connection": "keep-alive"}, "host": "www.baidu.com", 
"version": "1.1", "path": "/", "scheme": "http", "method": "GET"}, "ver": "1.1", "http_response": {"body_len": 0, "headers":
 {"true-file-type": "0"}, "version": "", "status_code": -1}} method=GET httpversion=1.1 path=/ host=www.baidu.com status_code=-1 scheme=http 
RequestUrl=http://www.baidu.com/ macAddress=00-50-56-89-02-14

Note The other CEF keys not listed in the table are not available for audit logs. Therefore, they will be set to null if configured in CEF keys.

Nov 2 09:57:55 ad173.onmicrosoft.com CEF: 0|Trend Micro|Trend Micro Web Security|
3.4.1.5440|100001|Audit Log|0|rt=Nov 02 2020 09:49:58 +0000 src= dest= site= score= category= 
app= url= http_user_agent= status= bytes_out= bytes_in= user=admin@trendmicro.com.cn 
companyid=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 action=Save Cloud Syslog Forwarding Setting 
content={"ip": "10.206.197.117", "contentFormat": "rt=%{rt} src=%{src} dest=%{dst} site=%{domainName} 
score=%{wrsScore} category=%{cat} app=%{appName} url=%{url} http_user_agent=%{user-agent_q} 
status=%{status_code} bytes_out=%{downStreamSize} bytes_in=%{upStreamSize} user=%{userName} 
companyid=%{companyID} action=%{act} content=%{httpTrans}", "enable": 1, "port": 8514}

Nov 2 09:57:55 ad173.onmicrosoft.com CEF: 0|Trend Micro|Trend Micro Web Security|
3.4.1.5440|100001|Audit Log|0|rt=Nov 02 2020 09:50:13 +0000 src= dest= site= score= category= 
app= url= http_user_agent= status= bytes_out= bytes_in= user=admin@trendmicro.com.cn 
companyid=d528b12f-08df-4c1f-be10-8ab6c74bf3e2 action=Delete Hosted User 
content="data=H:user-160144443485@trendmicro.com.cn"