Views:

Collect, organize, manage, and store third-party log data in Trend Vision One log repositories using collectors connected to a deployed Service Gateway.

Third-Party Log Collection is a log management system that allows you to ingest and retain log data from your organization's third-party data sources. Ingested data gives you actionable data visibility for threat detection and correlation in Agentic SIEM plus support for compliance audits and regulatory data management. Set specific ingestion and retention types for each log repository to more efficiently organize collected log data and access the data when needed in Trend Vision One solutions.
Third-Party Log Collection manages log data using a hierarchical system consisting of:
  • Log repositories: Ingest and store third-party log data according to specified ingestion and retention types and time periods
  • Collectors: Receive log data from configured third-party data sources and forward the data to specific log repositories
  • Service Gateway virtual appliances: Install the Third-Party Log Collection service on your deployed Service Gateways to facilitate log collection from your third-party data sources
To set up a log repository to ingest and store third-party log data:
  1. If you do not already have a deployed Service Gateway that meets the minimum requirements for the Third-Party Log Collection service, deploy a Service Gateway virtual appliance. The Service Gateway must have at least 1 CPU and 128 MB of virtual memory available.
  2. Install the Third-Party Log Collection service on your Service Gateway.
  3. If using the TLS protocol to receive third-party data logs from a data source, upload a certificate to your Service Gateway for validation purposes.
  4. Create a log repository in Third-Party Log Collection with the desired ingestion and retention settings.
  5. Add one or more collectors to the log repository configured to receive data from your third-party data sources.
  6. Configure your third-party data source to export log data to collectors.
  7. Execute queries on ingested log data in XDR Data Explorer and monitor log repository traffic usage in Service Gateway Management.
Collectors receive and forward all valid logs from the specified third-party log data sources.
TPLC_diagram=GUID-5eaa9e3e-9889-4618-b988-15de83dec476.jpg
The following actions are available in Third-Party Log Collection.
Action
Description
View existing log repositories and collectors
 Log repositories are displayed along with details including:
  • Ingestion type
  • Retention period
  • Number of collectors assigned
Drill down to see details on the collectors connected to the log repository, including:
  • Collector name
  • Log source
  • Log format
  • Collector status
Create a new log repository
Click Create New Log Repository to name and configure a new log repository. To learn more, see Create a log repository.
View log repository and collector details
Click the name of a log repository to display the log repository details drawer with the following sections:
  • Basic: Displays the ingestion and retention types assigned to the log repository.
    • Ingestion types
      • Analytic: Ingests log data for analysis, correlation, and threat hunting
        • Supports both analytic and archival retention
      • Archival: Ingests log data for infrequent queries or to meet compliance requirements
        • Only supports archival retention
    • Retention types:
      • Analytic: Allows for frequent retrieval of log data for analysis, correlation, and threat hunting. Default retention period: 30 days
      • Archival: Stores data for compliance purposes or infrequent queries
  • Collectors: Displays details about collectors forwarding log data to the log repository
    • Click Add Collector to add a new collector to the log repository.
      Important
      Important
      All log data received by a collector is ingested according to the associated log repository settings. To use different ingestion or retention settings, create a new log repository.
    • Edit or remove individual collectors
    • Manage log filters applied to each collector
Set up alert notifications
Click Configure alert notifications to enable email or webhook notifications when one or more of the following Third Party Log Collection issues occurs:
  • Log collection has been interrupted due to abnormal Service Gateway or Third-Party Log Collection service status
  • Log collection has stopped because the Third-Party Log Collection service is out of date
  • No supported logs have been collected from a data source for an extended period
  • Collector status has changed
Related information