Configure Trend Micro Apex Central to send logs to Arctic Wolf

You can configure Trend Micro Apex Central® to send the necessary logs to Arctic Wolf® for security monitoring.

These resources are required:

  • An activated Arctic Wolf Sensor or Virtual Log Collector (vLC)
  • Access to Trend Micro Apex Central with administrator permissions

Configure the syslog settings

  1. Sign in to Trend Micro Apex Central with administrator permissions.
  2. In the menu bar, click Detections > Notifications > Notification Method Settings.

    The Notification Method Settings page appears.

  3. In the Syslog Settings section, configure these settings:
    • Server IP address — Enter the FQDN or IP address of your Arctic Wolf Sensor.
    • Port — Enter 514.
    • Facility — Select the required facility code.
  4. Click Save.

Enable log forwarding

  1. Sign in to Trend Micro Apex Central with administrator permissions.
  2. In the menu bar, click Administration > Settings > Syslog Settings.
    The Syslog Settings page appears.
  3. Select the Enable syslog forwarding checkbox.
  4. Configure these settings for your Arctic Wolf Sensor that receives the logs:
    • Server address — Enter the FQDN or IP address of your Arctic Wolf Sensor.
    • Port — Enter 514.
    • Protocol — Select UDP.
  5. Configure a low-interval frequency for when Trend Micro Apex Central forwards the logs, such as 1 minute.
  6. In the Format list, select CEF.

    For more information, see Supported Log Types and Formats.

  7. In the Log type section, complete these steps:
    1. Select Security logs.
    2. Select the checkboxes for the logs you want to forward.
    3. Optional: Repeat these steps for Product information logs.
  8. Click Save.

    Trend Micro Apex Central forwards logs to the configured syslog server.

Verify log forwarding

  1. Sign in to Trend Micro Apex Central with administrator permissions.
  2. In the menu bar, click Administration > Command Tracking.
  3. In the Command list, select Forward Syslog.

Provide configuration information to Arctic Wolf

  1. Sign in to the Arctic Wolf Unified Portal.
  2. In the navigation menu, click Tickets & Alerts > All Tickets.
  3. Perform the appropriate action, depending on if you are:
    • A new customer — In the Ticket Type list, select Onboarding. Then, click the existing [Deploy] Site Config: <ticket_subject> ticket.
    • An existing customer — Click Open a New Ticket.
  4. On the Open a New Ticket page, configure these settings:
    • What is this ticket related to? — Select General request.
    • Subject — Enter Syslog changes.
    • Related ticket (optional) — Keep empty.
    • Message — Enter this information for your Concierge Security® Team (CST):
      • Confirmation that you completed the steps in this configuration guide.
      • The IP address or hostname of the Arctic Wolf Sensor that you used during the configuration.
      • The IP address, timezone, and device type for all sources that you are forwarding.
      • Questions or comments that you have.
  5. Click Send Message.

    Your CST reviews the details to make sure that Arctic Wolf is successfully processing the logs.