Events in Deep Security

Deep Security records when a protection module rule or condition is triggered (a "security event") and it records when administrative or system-related events occur (a "system event", such as an administrator logging in, or agent software being upgraded.) Event data is used to populate the various reports and graphs in the Deep Security Manager.

You can find lists of events on the Events & Reports tab in the Deep Security Manager. System events and each of the protection modules' security events have separate pages.

In this article:

Where are event logs on the agent?

Location varies by the computer's operating system. On Windows, event logs are stored in this location:

C:\Program Data\Trend Micro\Deep Security Agent\Diag

On Linux, event logs are stored here:

/var/opt/ds_agent/diag

These locations only contain standard-level logs; diagnostic debug-level logs have a different location. For performance reasons, debug-level logging is not enabled by default. You should only enable debug logging if diagnosing an issue with Trend Micro technical support, and make sure to disable debug logging when you are done. For more information, see Enabling detailed logging on Deep Security Agent (DSA).

When are events sent to the Manager?

Most events that take place on a computer are sent to the Deep Security Manager during the next heartbeat operation except the following, which will be sent right away if communication settings allow relays/agents/appliances to initiate communication:

How long are events retained?

Once collected by the Deep Security Manager, events are kept for a period of time, which is specified on the Administration > System Settings > Storage page.

If you are using Deep Security as a Service, see How long are my events stored?

System events

All the Deep Security system events are listed and can be configured on the Administration > System Settings > System Events tab. You can set whether to record the individual events and whether to forward them to a SIEM system. For details for working with system events, see System events.

Security events

Each protection module generates events when rules are triggered or other configuration conditions are met. Some of this security event generation is configurable.

The firewall stateful configuration in effect on a computer can be modified to enable or disable TCP, UDP, and ICMP event logging. To edit the properties of a stateful firewall configuration, go to Policies > Common Objects > Other > Firewall Stateful Configurations. The logging options are in the TCP, UDP, and ICMP tabs of the firewall stateful configuration's Properties window. For more information about firewall events, see Firewall events.

The intrusion prevention module lets you disable event logging for individual rules. To disable event logging for a rule, open the rule's Properties window and select Disable Event Logging on the Events area of the Intrusion Prevention Properties tab.

The intrusion prevention module can record the data that causes a rule to trigger. Because it would be impractical to record all the data every time an individual rule triggers, Deep Security will only record the data for a rule the first time it is triggered within a specified period of time (default is five minutes). To configure whether Deep Security will record this data, go to Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Intrusion Prevention > Advanced > Event Data. You can configure the length of the period by adjusting the Period for Log only one packet within period setting in Computer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Settings > Advanced > Advanced Network Engine Settings. For more information about intrusion prevention events, see Intrusion prevention events.

The log inspection module can be configured to only record events if a log inspection rule is triggered which contains a condition that exceeds a specified severity level. To set the severity level at which log inspection events will begin to be recorded, go toComputer or Policy editorYou can change these settings for a policy or for a specific computer. To change the settings for a policy, go to the Polices page and double-click the policy that you want to edit (or select the policy and click Details). To change the settings for a computer, go to the Computers page and double-click the computer that you want to edit (or select the computer and click Details). > Log Inspection > Advanced Severity Clipping. For more information about log inspection events, see Log inspection events.

Performance of logging

Here are some suggestions to help maximize the performance of event collection:

  • Reduce or disable log collection for computers that are not of interest.
  • Consider reducing the logging of firewall rule activity by disabling some logging options in the firewall stateful configuration Properties window. For example, disabling the UDP logging will eliminate the "Unsolicited UDP" log entries.
  • For intrusion prevention rules, the best practice is to log only dropped packets. Logging packet modifications may result in a lot of log entries.
  • For intrusion prevention rules, only include packet data (an option in the intrusion prevention rule's Properties window) when you are interested in examining the source of attacks. Otherwise, leaving packet data inclusion on will result in much larger log sizes.