AlienVault® USM Anywhere™

Trend Micro Control Manager

When you configure Trend Micro Control Manager integration to send log data to USM Anywhere, you can use the Trend Micro Control Manager plugin to translate the raw log data into normalized events for analysis.

Device Details
Device vendor Trend Micro
Device type Antivirus
Connection type syslog
Vendor link See the Trend Micro Control Manager 6.0 Service Pack 3 Administrator's Guide on the vendor's website.

Trend Micro Control Manager Integration

Before you configure the integration, you must have the IP address of the USM Anywhere Sensor. You can use either the Trend Micro Control Manager console or the CLI.

Web Console

To configure Trend Micro Control Manager to send log data to USM Anywhere

  1. Log in to the Trend Micro Control Manager console.
  2. Go to Administration > Event Center > General Event Settings.
  3. Go to the Setting Syslog section and type the IP address of your USM Anywhere Sensor and port 514.
  4. Select the facility for syslog from the list.

  5. Click Save.


To configure Trend Micro Control Manager to send log data to USM Anywhere

  1. Go to the Control Manager root folder at either C:\Program Files\Trend Micro\Control Manager or C:\Program Files (x86)\Trend Micro\Control Manager.

  2. Launch DataExportTool.exe.

  3. Configure log receiver settings:

    1. Severity — Default: Notice

    2. IP address USM Anywhere sensor

    3. Port — 514

    4. Facility—= Syslog facility. Default: Local0.

  4. Configure log forwarding settings:

    1. Frequency — How often Syslog Forwarder should query Control Manager for logs. Default: 12 hours.

    2. Logs to forward — Log types. Default: no selection.

    3. Format — CEF or Control Manager format.

      Note: In some instances, some users have experienced Trend Micro Contol Manager (TMCM) formatted syslog messages coming through with incomplete fields. If you find that the event descriptions from this plugin aren't being parsed correctly, try changing the format to CEF.

  5. Click Start.

Plugin Enablement

The Trend Micro Control Manager plugin automatically processes all messages whose syslog tag matches the value "TMCM”.

Available Plugin Fields

The following plugin fields are important attributes extracted from the syslog message. The USM Anywhere reports use these fields, and you can also reference them when creating custom reports. In addition to reporting, the USM Anywhere correlation rules make use of these fields.

  • access_control_outcome

  • destination_address

  • destination_hostname

  • event_name

  • event_outcome

  • file_name

  • file_path

  • malware_family

  • rep_device_hostname

  • rep_device_model

  • rep_device_rule_id

  • source_address

  • source_hostname

  • source_ntdomain

  • source_username

  • timestamp_occurred


For troubleshooting, refer to the vendor documentation: