Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Intrusion Defense Firewall 1.2 User's Guide - Trend Micro? Online ...
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Configure Syslog Integration<br />
IDF supports SIEM integration through syslog. Syslog is a method of forwarding log information over an IP<br />
network, typically using UDP, to a Syslog server listening on port 514.<br />
Enabling Syslog forwarding in the IDF Server Plug-in does not affect default logging. That is,<br />
enabling syslog will not "turn off" the normal logging mechanisms.<br />
Setting up a Syslog on Red Hat Enterprise<br />
The following steps describe how to configure Syslog on Red Hat Enterprise to receive logs from IDF Client<br />
Plug-ins.<br />
1. Log in as root<br />
2. Execute: vi /etc/syslog.conf<br />
3. Add the following two lines of text to the end of the syslog.conf:<br />
o #Save IDF Server Plug-in logs to IDF Server.log<br />
o Local4.* /var/log/IDF Server.log<br />
4. Save the file and exit<br />
5. Create the /var/log/IDF Server.log file by typing touch /var/log/IDF<br />
Server.log<br />
6. Set the permissions on the IDF Server log so that syslog can write to it<br />
7. Execute: vi /etc/sysconfig/syslog<br />
8. Modify the line "SYSLOGD_OPTIONS" and add a "-r" to the options<br />
9. Save the file and exit<br />
10. Restart syslog: /etc/init.d/syslog restart<br />
When Syslog is functioning you will see logs populated in: /var/log/IDF Server.log<br />
IDF Server Plug-in Settings<br />
You can configure IDF Server Plug-in to instruct all managed Computers to send logs to the Syslog<br />
computer, or you can configure individual Computers independently.<br />
To configure the Server Plug-in to instruct all managed Computers to use Syslog, go to the System ><br />
System Settings screen and click the Notifications tab. In the panel called "System Event Notification",<br />
1. place a check in the "Forward System Events to a remote Computer (via Syslog) " checkbox,<br />
2. enter the hostname or the IP address of the Syslog computer,<br />
3. enter which UDP port to use (usually 514),<br />
4. select which Syslog facility to use (Local4 from the Red Hat example above),<br />
5. select the log format (<strong>Trend</strong> <strong>Micro</strong>, or Common Event Format (CEF))<br />
Common Event Format (CEF) is a format sponsored by Arcsight (www.arcsight.com). The<br />
specification can be found on their Web site.<br />
You have now configured the IDF Server Plug-in to instruct all existing and new Computers to use remote<br />
Syslog by default.<br />
This default setting can be overridden for specific Security Profiles and on individual Computers. To<br />
override on a Computer, find the Computer you want to configure on the Computers screen and double-<br />
© Copyright 2010 <strong>Trend</strong> <strong>Micro</strong> Inc. www.trendmicro.com<br />
All rights reserved. - 88 -