Set up log inspection

To use log inspection, perform these basic steps:

  1. Turn on the log inspection module
  2. Run a recommendation scan
  3. Apply the recommended log inspection rules
  4. Test Log Inspection
  5. Configure log inspection event forwarding and storage

For an overview of the log inspection module, see Analyze logs with log inspection.

Turn on the log inspection module

  1. Go to Policies.
  2. Double-click the policy for which you want to enable log inspection.
  3. Click Log Inspection > General.
  4. For Log Inspection State, select On.
  5. Click Save.

Run a recommendation scan

Rules should be set to gather security events relevant to your requirements. When improperly set, events for this feature can overwhelm the Deep Security database if too many log entries are triggered and stored. Run a recommendation scan on the computer for recommendations about which rules are appropriate to apply.

  1. Go to Computers and double-click the appropriate computer.
  2. Click Log Inspection > General.
  3. For Automatically implement Log Inspection Rule Recommendations (when possible), you can decide whether Deep Security should implement the rules it finds by selecting Yes or No.
  4. In the Recommendations section, click Scan For Recommendations. Some log inspection rules written by Trend Micro require local configuration to function properly. If you assign one of these rules to your computers or one of these rules gets assigned automatically, an alert will be raised to notify you that configuration is required.

For more information about recommendation scans, see Manage and run recommendation scans.

Apply the recommended log inspection rules

Deep Security ships with many pre-defined rules covering a wide variety of operating systems and applications. When you run a recommendation scan, you can choose to have Deep Security automatically implement the recommended rules, or you can choose to manually select and assign the rules by following the steps below:

  1. Go to Policies.
  2. Double-click the policy that you want to configure.
  3. Click Log Inspection > General.
  4. In the Assigned Log Inspection Rules section, the rules in effect for the policy are displayed. To add or remove log inspection rules, click Assign/Unassign.
  5. Select or deselect the checkboxes for the rules you want to assign or unassign. You can edit the log inspection rule by right-clicking the rule and selecting Properties to edit the rule locally or Properties (Global) to apply the changes to all other policies that are using the rule. For more information, see Examine a log inspection rule.
  6. Click OK.

Although Deep Security ships with log inspection rules for many common operating systems and applications, you also have the option to create your own custom rules. To create a custom rule, you can either use the "Basic Rule" template, or you can write your new rule in XML. For information on how to create a custom rule, see Define a log inspection rule for use in policies.

Test Log Inspection

Before continuing with further Log Inspection configuration steps, test that the rules are working correctly:

  1. Ensure Log Inspection is enabled.
  2. Go to Computer or Policies editor > Log Inspection > Advanced. Change Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level to Low (3) and click Save.
  3. Go to the General tab, and click Assign/Unassign. Search for and enable:
    • 1002792 - Default Rules Configuration – This is required for all other Log Inspection rules to work.

    If you're a Windows user, enable:

    • 1002795 - Microsoft Windows Events – This logs events every time the Windows auditing functionality registers an event.

    If you're a Linux user, enable:

    • 1002831 - Unix - Syslog - This inspects the syslog for events.
  4. Click OK, and then click Save to apply the rules to the policy.
  5. Attempt to log in to the server with an account that does not exist.
  6. Go to Events & Reports > Log Inspection Events to verify the record of the failed login attempt. If the detection is recorded, the Log Inspection module is working correctly.

Configure log inspection event forwarding and storage

When a log inspection rule is triggered, an event is logged. To view these events, go to Events & Reports > Log Inspection Events or Policy editor > Log Inspection > Log Inspection Events. For more information on working with log inspection events, see Log inspection events.

Depending on the severity of the event, you can choose to send them to a syslog server (For information on enabling this feature, see Forward Deep Security events to an external syslog or SIEM server.) or to store events in the database by using the severity clipping feature.

There are two "severity clipping" settings available:

  • Send Agent events to syslog when they equal or exceed the following severity level: This setting determines which events triggered by those rules get sent to the syslog server, if syslog is enabled.
  • Store events at the Agent for later retrieval by Deep Security Manager when they equal or exceed the following severity level: This setting determines which log inspection events are kept in the database and displayed in the Log Inspection Events page.

To configure severity clipping:

  1. Go to Policies.
  2. Double-click the policy you want to configure.
  3. Click Log Inspection > Advanced.
  4. For Send Agent/Appliance events to syslog when they equal or exceed the following severity level, choose a severity level between Low (0) and Critical (15).
  5. For Store events at the Agent/Appliance for later retrieval by DSM when they equal or exceed the following severity level, choose a severity level between Low (0) and Critical (15).
  6. Click Save.