LogLogic Trend Micro OfficeScan Log Configuration Guide

LogLogic Trend Micro OfficeScan Log Configuration Guide Document Release: September 2011 Part Number: LL600065-00ELS090000 This manual supports LogLogic Trend Micro OfficeScan Release 1.0 and later, and LogLogic Software Release 5.1 and later until replaced by a new edition.

2011 LogLogic, Inc. Proprietary Information Trademarks This document contains proprietary and confidential information of LogLogic, Inc. and its licensors. In accordance with the license, this document may not be copied, disclosed, modified, transmitted, or translated except as permitted in writing by LogLogic, Inc. LogLogic and the LogLogic logo are trademarks or registered trademarks of LogLogic, Inc. in the United States and/or foreign countries. All other company or product names are trademarks or registered trademarks of their respective owners. Notice The information contained in this document is subject to change at any time without notice. All warranties with respect to the software and accompanying documentation are set our exclusively in the Software License Agreement or in the Product Purchase Agreement that covers the documentation. LogLogic, Inc. 110 Rose Orchard Way, Suite 200 San Jose, CA 95134 Tel: +1 408 215 5900 Fax: +1 408 774 1752 U.S. Toll Free: 888 347 3883 www.loglogic.com

Contents Preface About This Guide........................................................5 Technical Support........................................................5 Documentation Support................................................... 5 Conventions............................................................ 6 Chapter 1 Configuring LogLogic s Trend Micro OfficeScan Log Collection Prerequisites............................................................ 7 General Prerequisites..................................................... 7 Configuring Trend Micro OfficeScan......................................... 8 Installing and Configuring LogLogic s Windows Event Collectors................... 8 Enabling the LogLogic Appliance to Capture Log Data........................... 8 Adding Trend Micro OfficeScan as a New Device............................ 8 Configuring the LogLogic Appliance for Log Collection.......................... 10 Verifying the Configuration................................................ 11 Chapter 2 How LogLogic Supports Trend Micro OfficeScan How LogLogic Captures Trend Micro OfficeScan Data.......................... 12 LogLogic Real-Time Reports.............................................. 13 Chapter 3 Troubleshooting and FAQ Troubleshooting........................................................ 14 Frequently Asked Questions.............................................. 14 Appendix A Event Reference LogLogic Support for Trend Micro OfficeScan Events........................... 15 Trend Micro OfficeScan Log Configuration Guide 3

4 Trend Micro OfficeScan Log Configuration Guide

Preface About This Guide The LogLogic Appliance-based solution lets you capture and manage log data from all types of log sources in your enterprise. The LogLogic support for TrendMicro OfficeScan enables LogLogic Appliances to capture logs from machines running the TrendMicro OfficeScan Server service. Technical Support LogLogic is committed to the success of our customers and to ensuring our products improve customers' ability to maintain secure, reliable networks. Although LogLogic products are easy to use and maintain, occasional assistance might be necessary. LogLogic provides timely and comprehensive customer support and technical assistance from highly knowledgeable, experienced engineers who can help you maximize the performance of your LogLogic Appliances. To reach LogLogic Customer Support: Telephone: Toll Free 1-800-957-LOGS Local 1-408-834-7480 EMEA or APAC: + 44 (0) 207 1170075 or +44 (0) 8000 669970 Email: support@loglogic.com You can also visit the LogLogic Support website at: http://www.loglogic.com/services/support. When contacting Customer Support, be prepared to provide: Your name, email address, phone number, and fax number Your company name and company address Your machine type and release version A description of the problem and the content of pertinent error messages (if any) Documentation Support Your feedback on LogLogic documentation is important to us. Send e-mail to DocComments@loglogic.com if you have questions or comments. Your comments will be reviewed and addressed by the LogLogic technical writing team. In your e-mail message, please indicate the software name and version you are using, as well as the title and document date of your documentation. Trend Micro OfficeScan Log Configuration Guide 5

Conventions LogLogic documentation uses the following conventions to highlight code and command-line elements: A monospace font is used for programming elements (such as code fragments, objects, methods, parameters, and HTML tags) and system elements (such as filenames, directories, paths, and URLs). A monospace bold font is used to distinguish system prompts or screen output from user responses, as in this example: username: system home directory: home\app A monospace italic font is used for placeholders, which are general names that you replace with names specific to your site, as in this example: LogLogic_home_directory\upgrade\ Straight brackets signal options in command-line syntax. For example: ls [-AabCcdFfgiLlmnopqRrstux1] [-X attr] [path...] 6 Trend Micro OfficeScan Log Configuration Guide

Chapter 1 Configuring LogLogic s Trend Micro OfficeScan Log Collection This chapter describes configuration steps that enable a LogLogic Appliance to capture Trend Micro OfficeScan logs. The configuration steps assume that you have a functioning LogLogic Appliance that can be configured to capture Trend Micro OfficeScan log data. Prerequisites............................................................. 7 General Prerequisites...................................................... 7 Configuring Trend Micro OfficeScan........................................... 8 Installing and Configuring LogLogic s Windows Event Collectors..................... 8 Enabling the LogLogic Appliance to Capture Log Data............................. 8 Verifying the Configuration.................................................. 11 Prerequisites Prior to configuring Trend Micro OfficeScan and the LogLogic Appliance, ensure that you meet the following prerequisites: Trend Micro OfficeScan Server 10 is running on Microsoft Windows 2003 Enterprise Edition R2 with proper access permissions to make configuration changes. Trend Micro Office Scan client version 10 is installed. Lasso Enterprise is installed on the Windows machine. For more information, see the LogLogic Lasso Enterprise User Guide. LogLogic Appliance running Release 5.1 or later is installed with a Log Source Package that includes Trend Micro OfficeScan support. General Prerequisites User account with administrator privileges. Administrative access on the LogLogic Appliance. Apart from Lasso, SNARE windows log collector can be used, which provides the same functionality as that of Lasso. Trend Micro OfficeScan Log Configuration Guide 7

Configuring Trend Micro OfficeScan Trend Micro OfficeScan logs are generated in Windows Event Log format on the Windows host machine configured for OfficeScan Server. To configure Trend Micro OfficeScan: 1. Log in to the Trend Micro OfficeScan interface. 2. Click the Notifications tab on the left hand side. 3. Expand the Administrator Notifications section. 4. Click Standard Notifications. 5. Navigate to the NT Event Log tab. 6. Check the Enable notification via NT Event Log check box. 7. Leave the Message box as default and click the Save button. Lasso Enterprise is needed in order to send the logs generated on the machine (or other Windows machines) to the LogLogic Appliance. Installing and Configuring LogLogic s Windows Event Collectors Trend Micro OfficeScan logs are generated in Windows Event Log format on the Windows host machine configured for the OfficeScan Service. LogLogic s Windows event collector Lasso Enterprise is needed in order to send the logs generated on the machine (or other Windows machines) to the LogLogic Appliance. Enabling the LogLogic Appliance to Capture Log Data The following sections describe how to enable the LogLogic Appliance to capture Trend Micro OfficeScan log data. Adding Trend Micro OfficeScan as a New Device The following sections describe how to configure the LogLogic Appliance to capture Trend Micro OfficeScan logs. Logs sent via syslog will be auto discovered by the LogLogic appliance. Steps to enable auto discovery are explained in the next section, Chapter 1 Configuring LogLogic s Trend Micro OfficeScan Log Collection. With the auto-identification feature, the LogLogic Appliance captures OfficeScan log messages in syslog format using Lasso Enterprise. As the syslog messages come into the Appliance, they are automatically identified and a new device type is added to the log source device list. Default values are used for certain properties, such as the device name. If you do not want to utilize the auto-identification feature, you can manually add Trend Micro OfficeScan as a device to the LogLogic Appliance before you redirect the logs. To add Trend Micro OfficeScan as a new device: 1. Log in to the LogLogic Appliance. 8 Trend Micro OfficeScan Log Configuration Guide

2. From the navigation menu, select Management > Devices. The Devices tab appears. 3. Click Add New. The Add Device tab appears. 4. Type in the following information for the device: Name Name for the Trend Micro OfficeScan device Description (optional) Description of the Trend Micro OfficeScan device Device Type Select OfficeScan from the drop-down menu Host IP IP address of the machine hosting the Trend Micro OfficeScan log data Enable Select the Yes radio button Refresh Device Name through DNS Lookups (optional) Select this checkbox to enable the Name field to be automatically updated. The name is obtained using a reverse DNS lookup on the configured refresh interval. The DNS name overrides any manual name you assign. Figure 1 Manual Addition of OfficeScan Device on the LogLogic Appliance 5. Click Add. The Trend Micro OfficeScan device is added. 6. Verify that your new device appears in the Devices tab and that Enabled is set to Yes. After you add the new device, the Trend Micro OfficeScan Collector will send the database logs to the appliance database framework which will generate logs in Key-Value pair format. Trend Micro OfficeScan Log Configuration Guide 9

Configuring the LogLogic Appliance for Log Collection LogLogic captures Active Directory logs using the syslog listener. When auto-discovery is enabled on the LogLogic Appliance, the logs are automatically identified as belonging to OfficeScan and a new device is created by the LogLogic Appliance itself. To enable Auto Discovery in the LogLogic Appliance: 1. Log into your LogLogic Appliance. 2. From the navigation tree, click Administration > System Settings. The General Tab appears. 3. Select Yes for the Auto-identify Log Sources option. Figure 2 OfficeScan in LogLogic Appliance is Enabled 4. Click the Update button. After enabling the Auto-discovery, the LogLogic appliance will auto discover the Trend Micro OfficeScan service device whenever logs are sent to the appliance. 10 Trend Micro OfficeScan Log Configuration Guide

Verifying the Configuration This section describes how to verify that the configuration changes made to Trend Micro OfficeScan and the LogLogic Appliance are applied correctly. To verify the configuration: 1. Log in to the LogLogic Appliance. 2. From the navigation menu, select Dashboards > Log Source Status. The Log Source Status tab appears. 3. Locate the IP address for each OfficeScan device. Figure 3 Log Source Status Tab with OfficeScan Entry Displayed If the device name (OfficeScan) appears in the list of devices, then the configuration is correct. If the device does not appear in the Log Source Status tab, check the Trend Micro OfficeScan logs for events that should have been sent. If events were detected and are still not appearing on the LogLogic Appliance, verify the Lasso Enterprise configuration and the LogLogic Appliance configuration. You can also verify that the LogLogic Appliance is properly capturing log data from Trend Micro OfficeScan Service by trying to view the data in the reports. LogLogic recommends checking the reports to make sure that the data obtained is valid and matches expectations. For more information, see LogLogic Real-Time Reports on page 13. If the device name appears in the list of devices but event data for the device is not appearing within your reports, see Troubleshooting on page 14 for more information. Trend Micro OfficeScan Log Configuration Guide 11

Chapter 2 How LogLogic Supports Trend Micro OfficeScan This chapter describes LogLogic's support for Trend Micro OfficeScan. LogLogic enables you to capture Trend Micro OfficeScanlog data to monitor Trend Micro OfficeScan events. How LogLogic Captures Trend Micro OfficeScan Data............................ 12 LogLogic Real-Time Reports................................................ 13 How LogLogic Captures Trend Micro OfficeScan Data LogLogic s Windows Event Collector Lasso Enterprise can be used to collect Trend Micro OfficeScan logs from the Windows server where the service is installed. These logs are further automatically forwarded to the LogLogic Appliance by these collectors. Hence, these syslog collectors integrate the Windows Server on which Trend Micro OfficeScan is installed with the LogLogic Appliance. The events generated by Trend Micro OfficeScan service running on the Windows server will get automatically collected and parsed by these syslog collectors before and then will be forwarded to a Syslog listener of a LogLogic Appliance. The LogLogic Appliance uses automated mechanism to capture Trend Micro OfficeScan service log messages via syslog using conventional UDP port 514. Log files since the last pull are automatically filtered out from collecting the next set of logs to eliminate duplication. Also, Lasso Enterprise collectors can be configured to work in 2 modes: Agent Mode: Logs are collected and forwarded from the Windows server where it is installed. Collector Mode: Logs are collected and forwarded from Windows servers other than the server where the collector is installed. All messages are delivered from the remote machines to the host machine where the collector is installed using the Syslog-ng protocol (TCP). Syslog-ng functionality allows the original source IP address to be recorded, so that the Lasso collector can recognize it as having come from the original source host and not the host machine itself. Regardless of the mode used, all collected logs are converted into text format by the collector and then forwarded to the LogLogic Appliance s Syslog Listener via UDP or TCP. Once the data is captured and parsed, you can generate reports. In addition, you can create alerts to notify you of issues on Trend Micro OfficeScan. For more information on creating reports and alerts, see the LogLogic User Guide and LogLogic Online Help. 12 Trend Micro OfficeScan Log Configuration Guide

LogLogic Real-Time Reports LogLogic provides pre-configured Real-Time Reports for Trend Micro OfficeScan log data. The following Real-Time Report is available: Threat Report Reports the events generated for virus detections and other AntiVirus threats. To access LMI 4 Real-Time Reports: 1. In the left navigation pane, click Real-Time Reports. 2. Click Threat Management. The following Real-Time Report is available: Threat Report To access LMI 5 Real-Time Reports: 1. In the top navigation pane, click Reports. 2. Click Threat Management. The following Real-Time Report is available: Threat Activity You can create custom reports from the existing Real-Time Report templates. For more information, see the LogLogic User Guide and LogLogic Online Help. Trend Micro OfficeScan Log Configuration Guide 13

Chapter 3 Troubleshooting and FAQ This chapter contains troubleshooting regarding the configuration and/or use of log collection for Trend Micro OfficeScan. It also contains Frequently Asked Questions (FAQ), providing quick answers to common questions. Troubleshooting.......................................................... 14 Frequently Asked Questions................................................ 14 Troubleshooting If Trend Micro OfficeScan events are not appearing on the LogLogic Appliance... Make sure that you have properly installed and configured Lasso Enterprise. Also, in case of Lasso Enterprise, the Event viewer can be checked for errors and warnings logged under the Application name LogLogic Windows Event Collector. For details about all the events that can be logged for Lasso Enterprise, please refer to the Lasso Enterprise User s Guide. If events are not displaying on the LogLogic Appliance even after configuring Trend Micro OfficeScan and Lasso Enterprise correctly... OfficeScan service sends the logs via UDP or TCP in Syslog format, to the LogLogic Appliance. Make sure that the UDP or TCP port is enabled on the Windows server where Trend Micro OfficeScan has been installed. For more information on supported protocols and ports, see the Lasso Enterprise User s Guide for Lasso Enterprise s configuration details. Frequently Asked Questions How does the LogLogic appliance collect logs from Trend Micro OfficeScan? For log collection, an open source Windows Event Collector, Project Lasso, is required in order to read the.evt files from the Windows machine, convert them into text format, and forward them via Syslog using UDP or TCP to the LogLogic Appliance. The LogLogic Appliance functions as the Syslog server. For more information, see How LogLogic Captures Trend Micro OfficeScan Data on page 12. What access permissions are required? To configure logging on OfficeScan, root access to the OfficeScan console is required. How do I configure logging on Trend Micro OfficeScan? Follow the procedures described in, Chapter 1 Configuring LogLogic s Trend Micro OfficeScan Log Collection. Also make sure that you have properly installed and configured Lasso. For more information, see Lasso Enterprise User s Guide for Lasso Enterprise s configuration details. 14 Trend Micro OfficeScan Log Configuration Guide

Appendix A Event Reference This appendix lists the LogLogic-supported Trend Micro OfficeScan events. The Trend Micro OfficeScan event table identifies events that can be analyzed through LogLogic reports. All sample log messages were captured by LogLogic s Syslog Listener. LogLogic Support for Trend Micro OfficeScan Events The following list describes the contents of each of the columns in the tables below. Event ID Trend Micro OfficeScan event identifier Agile Reports/Search Defines if the Trend Micro OfficeScan event is available through the LogLogic Agile Report Engine or through the search capabilities. If the event is available through the Agile Report Engine, then you can use LogLogic s Real-Time Reports and Summary Reports to analyze and display the captured log data. Otherwise, all other supported events that are captured by the LogLogic Appliance can be viewed by performing a search for the log data. Event Type Type of event such as Success audit, Failure audit, etc. Reports Appears In LogLogic-provided reports that the event appears in Sample Log Message Sample Trend Micro OfficeScan log messages in text format Trend Micro OfficeScan Log Configuration Guide 15

Table 1 Trend Micro OfficeScan Events # Event ID Agile Reports/ Search Event Type Reports Appears In Sample Log Message 1 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Cleaned 2 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Deleted 3 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Quarantined 4 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Renamed 5 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Pass 6 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Virus successfully detected, cannot perform the Clean action (Passed) 7 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Virus successfully detected, cannot perform the Clean action (Deleted) 16 Trend Micro OfficeScan Log Configuration Guide

# Event ID Agile Reports/ Search Event Type Reports Appears In Sample Log Message 8 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Virus successfully detected, cannot perform the Clean action (Renamed) 9 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Virus successfully detected, cannot perform the Clean action (Quarantined) 10 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Virus successfully detected, cannot perform the Delete action 11 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Virus successfully detected, cannot perform the Quarantine action 12 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Virus successfully detected, cannot perform the Rename action 13 Agile Virus detected Threat Report Virus/Malware: Eicar_test_file Result: Virus successfully detected, cannot perform the Pass action Trend Micro OfficeScan Log Configuration Guide 17

18 Trend Micro OfficeScan Log Configuration Guide