In the answer below it referenced a TA for Trendmicro. I could not find this on apps.splunk.com
how-do-we-import-mcafee-epo-into-splunk
Is this TA only available with the paid version of ES?
Anyone know where I can download without buying ES?
Anyone know a way to get TrendMicro Control Manager Logs into splunk?
Anyone working on a Trendmicro Dashboard or App?
Hi, TA-trendmicro is indeed delivered with Splunk Enterprise Security. To deploy it in a distributed environment, you will need to extract the add-on from the Splunk ES package and install/configure it across your indexers (cluster) and the forwarder running TMCM.
In TMCM you need to configure the alerts you are interested in to write an event in the Application Windows Event Log. TMCM events will be processed by TA-trendmicro, assigning sourcetypes, tags, extracting fields etc. so they become available to the ES Data Models.
I got the data into Splunk, properly tagged, sourcetype and all. However I don't find the data in ES ? Did you ? What more is needed ?
Thanks,
JohMut
Hello Mike, Did you made any progress on the above topic? I looking for an add-on/app which will help me best with ingesting SMEX logs from Trend Micro Control Managers (Version: 6.0 (Build 1327) service pack:3). I would really appreciate any help you can offer on this.
Thanks,
Varma
Hi Verma1729,
To my knowledge there is released add-on/app for ingesting the Trend Micro Control Manager Logs.
We had the same issues and ended up configuring DB connect to pull the logs directly from the Control Manager database then build it out from there.
The Control manager DB schema is not publicly available so you will need to contact your TAM to get your hands on it.
Link to DB Connect: https://splunkbase.splunk.com/app/2686/
Cheers,
Matt
There are two apps on Splunkbase now:
Thanks ChrisG,
I am aware of these, however, they don't seem to have functionality for the other TrendMicro products as mention by OP - TrendMicro Control Manager logs which collect all the alerts from the controlled OfficeScan endpoints as well as ScanMail if so configured. This is the TrendMicro data of interest which should not be confused with the DeepSecurity products.
Do you know of a means for Splunk ingestion of the Control Manager events collected from OfficeScan\ScanMail clients?
Thank you.
Thank you for the details and follow up.
Thanks. I am not really familiar with Trend Micro products, so I was just highlighting the available apps as a response to the original "Anyone working on a Trendmicro Dashboard or App" question, because these weren't available at the time of the original post.
So, not a great answer to your follow-up comment/question. My apologies.
You could contact the developer of the existing app to see if there are other resources he's aware of.
TrendMicro Control Manager is a great source to monitor AV detection across all OfficeScan and ScanMail clients. Has anyone made any progress here?
can anyone confirm if TA for Trendmicro is exclusive to Splunk ES only? Thanks.