How to modify default fields in Trend Micro Deep S...

emixam3 · ‎05-23-2017

Hi,
I'm receiving syslog flow from Trend Micro Deep Security.
After installing the app for Splunk, I would like to check how the fields are populate by it. I've got an issue with the field "DPI_Reason", where I can find the Trend Micro rule number.
The field in the raw data is, for example, "502", but the field in splunk is "-502". And it only populate the field with default values like 502 or 504, not with custom rules like 1001234.

Thanks

Max

aakwah · ‎05-23-2017

Hello,

Make sure that Deep Security is sending syslog messages with Common Event Format (CEF) as syslog format.

On Deep Security web interface:

Administration -> System Settings -> SIEM -> Syslog Format (Common Event Format).

Hope this helps.

Regards

idurrani · ‎10-18-2017

Hello,

Deep Security manager is sending traffic to splunk and splunk is getting the events but not showing it on UI. For example I see DSM sending messages on UDP port 10702 that are received by Splunk but I can't see them. Splunk has the Deep Security manager app configured. Please help?

How to modify default fields in Trend Micro Deep Security for Splunk?

Join the Splunk Community Slack to learn, troubleshoot, and make connections with fellow Splunk practitioners in real time!

Join Splunk User Groups to connect and learn in-person by region or remotely by topic or industry.

Observability Simplified: Combining User Experience, Application Performance & ...

Event Series May & June: From Network Visibility to Service Intelligence

Global Splunk User Group Events: May + June 2026

Join the Conversation