The InTrust Knowledge Pack for Trend Micro InterScan Web Security Virtual Appliance works with Syslog messages forwarded from Trend Micro InterScan Web Security virtual appliances to Linux hosts. These messages are treated as events, which InTrust can collect and monitor for.
For the complete list of supported events, see Audited Events.
InTrust supports gathering and real-time monitoring of Syslog messages from InterScan Web Security Virtual Appliance 6.5.
Auditing uses a Linux host as an intermediary. InTrust supports the following Linux distributions for this purpose:
InterScan Web Security auditing may work on other distributions supported by InTrust, but this was not tested.
To prepare a Linux host, you need to install an InTrust agent and adjust the configuration of the Syslog flavor used. Currently, agents must be installed manually on each Linux host you want to cover.
The Linux Knowledge Pack is installed on top of an existing InTrust installation. The following objects are included:
Command and control callback detected
Data loss prevention detected
InTrust agents must be installed manually on Linux hosts. For details, see Installing Agents Manually on Linux Computers.
InTrust takes advantage of the Syslog logging system on Linux computers. It is implemented by the Syslog daemon, which accepts messages from various sources that support logging, and either writes these messages to files or passes them on to other hosts in the network. For details about configuring the daemon, see Syslog Configuration.